Support for multiple users logging to Azure AD B2C external IDP from the same computer

Marina Gurevich 56 Reputation points
2020-12-11T14:33:39.833+00:00

Hello,

We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.

We want to support SSO and are using "tenant" scope, so that if user signs out of our app they are not signed out of their respective Azure AD and can still use it with other applications.

The issue is that if a user workstation is shared by multiple employees, which is a very likely scenario with our customers, if one user logs out of their application and then 2nd user tries to login, although I can see their tokens deleted from local storage, they are still able to sign-in with previous user token, without even being presented with a login prompt.

Is there a setting in MSAL.js or custom policies that would prevent that? I tried using prompt: 'login', but it didn't help, and then I read that it's not supported for external IDP providers in B2C.

Any suggestion would be welcome.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,631 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,342 questions
{count} vote