This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 45%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
We are currently using a single Application registered with 4 redirect URIs for 4 Single Page Applications (SPA) and already configured the Front-Channel logout URL.
When I perform logout from one of the SPA, it only logs me out form that SPA. Rest of the SPAs are still having the active session and not redirected back to the log out page.
@AmanpreetSingh-MSFT Please guide me to fix my issue and let me know if I made any wrong configuration/ suggest best practices.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Andrew Renold ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Shweta
Hi @Andrew Renold ,
Thanks for reaching out.
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
To configure single sign-out in your custom policy, token issuer technical profiles must specify:
The protocol name, such as <Protocol Name="OpenIdConnect" />
The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />.
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<!-- JWT Token Issuer -->
<TechnicalProfile Id="JwtIssuer">
<DisplayName>JWT token Issuer</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputTokenFormat>JWT</OutputTokenFormat>
...
<UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
</TechnicalProfile>
<!-- Session management technical profile for OIDC based tokens -->
<TechnicalProfile Id="SM-jwt-issuer">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Hope this will help.
Thanks,
Shweta
-------------------------------------
Please remember to "Accept Answer" if answer helped you.
Hi, @Shweta Mathur Thanks for your answer. But I've already gone through the suggested documentation but still, my issue is not resolved.
Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications to which the user is currently signed. - Here, Logout URL should be https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<policy-name>/oauth2/v2.0/logout, right?
If yes, which policy I should use in place of the policy? If not, then how to construct the logout URL?
Please clarify me with the above questions which are not clearly mentioned in the provided documentation.
Thanks and regards,
Andrew Renold
Apologies for delay in response.
Yes, The Azure AD B2C Logout endpoint should be https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout
where policyName will be your SignUp_SignIn Userflow or Custom policy.
The same should be configured in the application registered in portal in Front-channel logout URL for single sign out.
whereas post_logout_redirect_uri would be where you want to redirect your page after sign out.
Thanks,
Shweta
---------------------------------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 33%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Hi @Shweta Mathur ,
I have a similar scenario. I tried the above suggestions and modified the JWT token issuer profile and configured the new JWT issuer profile in the last orchestration step. I still can't get to signout the user from the applilcation. The moment I click signin, it logs back in without requesting for credentials. Is there any code samples for Single signout implementation. Appreciate your help on this.
Thanks,
Jeevan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 5%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
the OP is correct, it doesn't make sense what the answer is here. Where or how is there a reference for the logout URL to be called from a the custom policy?
the documentation says this.
When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to. Note, the application that triggers the sign-out request will not get this log-out message. Your applications must respond to the sign-out request by clearing the application session that identifies the user.
How is this done in the custom policy?