Hi, I have been trying to implement a SSO Log out with two of our web applications. We currently have a web application which is running on .NET Framework (Web App A) & a Next JS Web App (Web App B) using the same Tenant. I have been able to successfully enable the SSO which is working between both Applications. However, I am unable to get the SSO Single Log out to work. Both Web Apps are registered within the Azure Portal under the same tenant and I have followed the documentation referenced below: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out I followed the documentation above and we're using OIDC. When I sign out of Web App A I expect the Web App B to be signed out upon the next request. However this doesn't seem to the case and vice versa. I was wondering if anyone could point me in the right direction. Thank you very much

Hi @Fouad S , Thanks for reaching out. I understand you are trying to sign the user out of all applications which have an active session using Single Sign Out. For OpenID Connect or OAuth2 applications, you have to configure " Front-channel logout URL " while registering your application with logout URL. When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in. During the sign-out, Azure AD B2C simultaneously sends an HTTP request to the registered logout URL of all the applications that the user is currently signed in to sign out from everywhere. Hope this will help. Thanks, Shweta Please remember to " Accept Answer " if answer helped you.

Azure B2C SSO Single Log out

Accepted answer

Shweta Mathur 27,381 Reputation points Microsoft Employee

2023-02-01T10:16:28.7833333+00:00

Hi @Fouad S ,

Thanks for reaching out.

I understand you are trying to sign the user out of all applications which have an active session using Single Sign Out.

For OpenID Connect or OAuth2 applications, you have to configure "Front-channel logout URL" while registering your application with logout URL.

When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in.

During the sign-out, Azure AD B2C simultaneously sends an HTTP request to the registered logout URL of all the applications that the user is currently signed in to sign out from everywhere.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.
Please sign in to rate this answer.
Fouad S 20 Reputation points

2023-02-01T16:23:55.8+00:00

Hi @Shweta Mathur ,

Thanks for getting back to me. I've double checked and I had already configured the Front end Channel Logout URL within the Azure Portal with the end_session_endpoint URL grabbed from the OpenId Connect Metadata for both Web Application A & Web Application B.

I've also ensured that the custom policy file has the following code changes applied to enable Single Log out.

 <TechnicalProfile Id="JwtIssuer"> <DisplayName>JWT token Issuer</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputTokenFormat>JWT</OutputTokenFormat> ... <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> </TechnicalProfile>  <TechnicalProfile Id="SM-jwt-issuer"> <DisplayName>Session Management Provider</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> </TechnicalProfile>

Unfortunately, whenever I hit the following url:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https://www.jwt.ms

(With my tenant & policy variables above changed) - I'm still logged in on one of the other Applications. This is also the case in reverse so if I log out on Web App A this time then Web App B will still be logged in upon the next request I hit on Web App B.

I was wondering if there is any other further configuration that I may be overlooking?

Thank you very much

Shweta Mathur 27,381 Reputation points Microsoft Employee

2023-02-02T04:17:21.5133333+00:00

Hi @Fouad S,

Single-sign-out is implemented in Azure AD B2C according to the Front channel logout URL.

Azure B2C while login is aware that user is logged into both the applications.

When user clicks on logout on Web App 1, it will call end_session_endpoint to clear the MSAL cookie and cache and calls Front channel logout URL of web App 2 and clear its MSAL cache.

However, for this to work properly, the browser must be enabled to allow third party cookies. This is a substantial requirement for single-sign-out via front-channel logout to work. If the browser is configured to block third party cookies, single sign-out will not work.

Another important requirement is that Front-channel logout URL should point to the address of your application that will be called by the Azure AD B2C during the sign out process. It should not be the B2C logout URL.

That is because, the regular log-out URL must clear user session and redirect to Azure AD B2C end-session endpoint. If you just configure that URL as front-channel logout URL, you might end up in an inconsistent state, or really not logging out.

Front channel logout URL should be like https://www.myapp.mydomain/logout

It seems Front channel logout URL is B2C logout URL which ends up clearing the user session and not clearing cache on webApp2.

Thanks,

Shweta

Please do not forget to "Accept the answer" and provide survey wherever the information provided helps you to help us and others in the community.

Shweta Mathur 27,381 Reputation points Microsoft Employee

2023-02-10T06:02:05.7+00:00

Hi Fouad S,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click Accept Answer and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks, Shweta

Fouad S 20 Reputation points

2023-05-04T13:25:57.28+00:00

Thank you this has answered my question.

Christian Holes 15 Reputation points

2023-07-08T16:31:20.8733333+00:00

this doesn't work.
Sign in to comment

Azure B2C SSO Single Log out

0 additional answers