Share via

How to sign-out a user in B2C federated via an external idp (Azure AD)

Abdul Mohammed 0 Reputation points
2023-03-23T21:17:37.9733333+00:00

Hi,

I wrote a custom policy in B2C that allows user to sign in locally or from an external IDP (Azure AD). The Sign in process works fine for both local user and a user in Azure AD. The sign out works fine for local user but doesn't work for federated user.

As per the documentation, it should work seamlessly without writing any extra line of code, but this doesn't seem to work.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out

I checked through Saml tracer but I don't see any request going out to Azure Ad for logout.

For testing purpose, I then added the logout url (https://login.microsoftonline.com/xxxxxx/oauth2/logout) in the "Front-channel logout URL" option. I tried with both v2 and v1. I see in saml tracer they are being called, but it still doesn't Signs out the user from Azure AD.

let me know if there is a solution for this issue.

Thanks,

Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay Kaushik 18,026 Reputation points Microsoft Employee Moderator
    2023-03-27T12:51:31.1766667+00:00

    @Abdul Mohammed

    Thank you for posting your query on Q&A. As per Sign-out

    You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

    • OpenId Connect - If the identity provider well-known configuration endpoint specifies an end_session_endpoint location. The sign-out request doesn't pass the id_token_hint parameter. If the federated identity provider requires this parameter, the sign-out request will fail.
    • OAuth2 - If the identity provider metadata contains the end_session_endpoint location.
    • SAML - If the identity provider metadata contains the SingleLogoutService location.

    For Azure AD kindly follow Send a sign-out request where you need to define post_logout_redirect_uri and This URL must match one of the redirect URIs registered for your application in the app registration portal.

    User's image

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.