Single Sign Out in Azure AD B2C using Custom policies not working as expected

Question

We are trying to implement SSO Azure AD B2C using Custom policies. We have a single App Registration with 2 redirect URIs for 2 Single Page Applications. The Single Sign In Process is working as expected. But we are facing an issue with Single Sign Out.

Our requirement is to perform logout from one of the SPA then it should be signed out from other applications as well. But with our current implementation other Single Page Applications still have active sessions and are not redirected as expected.

Our current implementation steps are given below

• Added below Redirect URLs
  
• Added Front-channel logout URL
  https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{PolicyName}/oauth2/v2.0/logout
• Added below Claims Provider in the policy
  <ClaimsProvider>
  <DisplayName>Local Account SignIn</DisplayName>
  <TechnicalProfiles>
  <!-- JWT Token Issuer -->
  <TechnicalProfile Id="JwtIssuer">
  <DisplayName>JWT token Issuer</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
  </TechnicalProfile>
  <!-- Session management technical profile for OIDC based tokens -->
  <TechnicalProfile Id="SM-jwt-issuer">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  </TechnicalProfile>
  <!--SAML token issuer-->
  <TechnicalProfile Id="Saml2AssertionIssuer">
  <DisplayName>SAML token issuer</DisplayName>
  <Protocol Name="SAML2" />
  <OutputTokenFormat>SAML2</OutputTokenFormat>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
  </TechnicalProfile>
  <!-- Session management technical profile for SAML based tokens -->
  <TechnicalProfile Id="SM-Saml-issuer">
  <DisplayName>Session Management Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  </TechnicalProfile>
  </TechnicalProfiles>
  </ClaimsProvider>
• Added the User journey code in Policy
  <UserJourneyBehaviors>
  <SingleSignOn Scope="TrustFramework" EnforceIdTokenHintOnLogout="true" />
  </UserJourneyBehaviors>
• Added the below piece of code in our SPA(Angular)
  signOut(): void {
  localStorage.removeItem("currentUser");
  const request = {
  redirectStartPage: "/",
  scopes: ["openid", "profile", ${environment.AppClientId}]
  };
  this.msalService.acquireTokenSilent(request as SilentRequest).subscribe({
  next: (result: AuthenticationResult) => {
  this.msalService.logoutRedirect({idTokenHint: result.idToken, postLogoutRedirectUri: 'http://localhost:4200/logout'});
  },
  error: (error) => {
  }
  });
  }

Please guide me to fix this issue and please correct me if I am doing something wrong here.

Answer 1

Hi @Sajna M Nair ,

Make sure that the logoutURL in the Location attribute of the SingleLogoutService element is set (or is configured as the logoutURL in the manifest of the app registration):

<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />  

Please also confirm the following:

1) If you have the Single sign-out from your custom policy uploaded to B2C. https://learn.microsoft.com/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out

2) Check if you have the correct registered logout URL for all of your apps.

3) Please capture a fiddler trace log when reproducing the issue.