Azure AD B2C Single Sign out - cannot redirect to provided URL and get blank page

Question

We are implementing SSO in Azure AD B2C using custom policy which is based on sample code from Microsoft GitHub. However, I get the blank page when sending a sign-out request. Actually it clears the user's session, user need to reauthenticate to my application but it cannot redirect the user to provided redirect uri. My B2C application is configured with custom domain, so the default tenant of sign-out request is replaced by our custom domain, I am wondering whether there is something missed or doing wrong here. Please guide me to fix the issue. Thank you.

Below screen capture is showing the blank page error:

Sign-out request url:

https://<custom_domain>/<tenant>.onmicrosoft.com/<policy>/oauth2/v2.0/logout?post_logout_redirect_uri=<redirect_uri>&id_token_hint=<id_token>

Configurations:

1. In custom policy, set the EnforceIdTokenHintOnLogout of the SingleSignOn element to true
2. In B2C sign-in application, add <redirect_uri> into reply URLs section.
3. In B2C sign-in application, add following URL into Front-channel logout URL

https://<custom_domain>/<tenant>.onmicrosoft.com/<policy>/oauth2/v2.0/logout

Answer 1

@Jacky Chan

I understand that your users are not being redirected after signing out from your application.

Please verify that your B2C policy and signed in applications have been configured for B2C single sign out as described in the document here:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out))

In particular, ensure that the Logout URI is configured in the app registration under Authentication and under Front-channel logout URL. Since it looks like you are using oauth2, you need to ensure that the appropriate session provider is configured.

Please share your app registration settings and custom policies and confirm the following:

1. Verify that the user has consented to the application.
2. Confirm that the Logout URL starts with HTTPS
3. Confirm that the Logout URL is registered as a reply URL in the portal.
4. Confirm that the configured authority matches the supported account types.
5. Confirm that iframes are not being blocked.
6. Ensure that the browser is enabled to allow third party cookies. This is a substantial requirement for single-sign-out via front-channel logout to work. If the browser is configured to block third party cookies, single sign-out will not work.

If you share the sample you are using, it will be easier for me to diagnose this issue.

Updating this thread: Feel free to reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID if you would like send more information and get this addressed.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.