How to implement Single Sign Out in Azure AD B2C using Custom policies?

Andrew Renold 6 Reputation points
2022-10-21T05:28:48.54+00:00

We are currently using a single Application registered with 4 redirect URIs for 4 Single Page Applications (SPA) and already configured the Front-Channel logout URL.

When I perform logout from one of the SPA, it only logs me out form that SPA. Rest of the SPAs are still having the active session and not redirected back to the log out page.

@AmanpreetSingh-MSFT Please guide me to fix my issue and let me know if I made any wrong configuration/ suggest best practices.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,707 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,771 Reputation points Microsoft Employee
    2022-10-21T12:28:50.707+00:00

    Hi @Andrew Renold ,

    Thanks for reaching out.

    When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

    Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

    To configure single sign-out in your custom policy, token issuer technical profiles must specify:
    The protocol name, such as <Protocol Name="OpenIdConnect" />
    The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />.

    <ClaimsProvider>  
      <DisplayName>Local Account SignIn</DisplayName>  
      <TechnicalProfiles>  
        <!-- JWT Token Issuer -->  
        <TechnicalProfile Id="JwtIssuer">  
          <DisplayName>JWT token Issuer</DisplayName>  
          <Protocol Name="OpenIdConnect" />  
          <OutputTokenFormat>JWT</OutputTokenFormat>  
          ...      
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />  
        </TechnicalProfile>  
      
        <!-- Session management technical profile for OIDC based tokens -->  
        <TechnicalProfile Id="SM-jwt-issuer">  
          <DisplayName>Session Management Provider</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
        </TechnicalProfile>  
    </TechnicalProfiles>  
    </ClaimsProvider>  
    

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy&WT.mc_id=AZ-MVP-5003445#configure-your-custom-policy

    Hope this will help.

    Thanks,
    Shweta

    -------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.