Single Sign Out in Azure AD B2C using Custom policies not working as expected

Sajna M Nair 26 Reputation points
2022-12-13T08:56:29.837+00:00

We are trying to implement SSO Azure AD B2C using Custom policies. We have a single App Registration with 2 redirect URIs for 2 Single Page Applications. The Single Sign In Process is working as expected. But we are facing an issue with Single Sign Out.

Our requirement is to perform logout from one of the SPA then it should be signed out from other applications as well. But with our current implementation other Single Page Applications still have active sessions and are not redirected as expected.

Our current implementation steps are given below

  • Added below Redirect URLs
    270061-image.png
  • Added Front-channel logout URL
    https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{PolicyName}/oauth2/v2.0/logout
  • Added below Claims Provider in the policy
    <ClaimsProvider>
    <DisplayName>Local Account SignIn</DisplayName>
    <TechnicalProfiles>
    <!-- JWT Token Issuer -->
    <TechnicalProfile Id="JwtIssuer">
    <DisplayName>JWT token Issuer</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputTokenFormat>JWT</OutputTokenFormat>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
    </TechnicalProfile>
    <!-- Session management technical profile for OIDC based tokens -->
    <TechnicalProfile Id="SM-jwt-issuer">
    <DisplayName>Session Management Provider</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>
    <!--SAML token issuer-->
    <TechnicalProfile Id="Saml2AssertionIssuer">
    <DisplayName>SAML token issuer</DisplayName>
    <Protocol Name="SAML2" />
    <OutputTokenFormat>SAML2</OutputTokenFormat>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
    </TechnicalProfile>
    <!-- Session management technical profile for SAML based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
    <DisplayName>Session Management Provider</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>
    </TechnicalProfiles>
    </ClaimsProvider>
  • Added the User journey code in Policy
    <UserJourneyBehaviors>
    <SingleSignOn Scope="TrustFramework" EnforceIdTokenHintOnLogout="true" />
    </UserJourneyBehaviors>
  • Added the below piece of code in our SPA(Angular)
    signOut(): void {
    localStorage.removeItem("currentUser");
    const request = {
    redirectStartPage: "/",
    scopes: ["openid", "profile", ${environment.AppClientId}]
    };
    this.msalService.acquireTokenSilent(request as SilentRequest).subscribe({
    next: (result: AuthenticationResult) => {
    this.msalService.logoutRedirect({idTokenHint: result.idToken, postLogoutRedirectUri: 'http://localhost:4200/logout'});
    },
    error: (error) => {
    }
    });
    }

Please guide me to fix this issue and please correct me if I am doing something wrong here.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-12-15T21:18:37.817+00:00

    Hi @Sajna M Nair ,

    Make sure that the logoutURL in the Location attribute of the SingleLogoutService element is set (or is configured as the logoutURL in the manifest of the app registration):

    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />  
    

    Please also confirm the following:

    1) If you have the Single sign-out from your custom policy uploaded to B2C. https://learn.microsoft.com/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out

    2) Check if you have the correct registered logout URL for all of your apps.

    3) Please capture a fiddler trace log when reproducing the issue.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.