Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,594 questions
Support for multiple users logging to Azure AD B2C external IDP from the same computer
Marina Gurevich
51
Reputation points
Hello,
We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.
We want to support SSO and are using "tenant" scope, so that if user signs out of our app they are not signed out of their respective Azure AD and can still use it with other applications.
The issue is that if a user workstation is shared by multiple employees, which is a very likely scenario with our customers, if one user logs out of their application and then 2nd user tries to login, although I can see their tokens deleted from local storage, they are still able to sign-in with previous user token, without even being presented with a login prompt.
Is there a setting in MSAL.js or custom policies that would prevent that? I tried using prompt: 'login', but it didn't help, and then I read that it's not supported for external IDP providers in B2C.
Any suggestion would be welcome.
{count} votes
-
James Hamil 12,976 Reputation points Microsoft Employee2020-12-12T00:32:27.717+00:00 Hi, we are looking into your issue and will update you shortly!
If that helps to narrow it down the issue is only happening with our corporate AAD connected to B2C and not with a basic test one connected to the same B2C with exactly the same settings.
Is there any setting on the AAD level that could affect it?
Hi @Marina Gurevich , sorry for the delay! I'm sending this to the product team to help get you a detailed solution. We should have an answer soon.
Best,
James
Hi James,
Any updates? I can imagine that other people who share the same browser for multiple users will run into this issue also.
Marina
As a workaround I added <InputClaim ClaimTypeReferenceId="prompt" DefaultValue="{OIDC:prompt}" AlwaysUseDefaultValue="true" /> to AAD Claims Provider in Custom Policies and then added prompt: 'login' to MSAL.js request when login_hint (user email) changes.
<InputClaims>
<!-- Add the login hint value to the sign-in names claim type -->
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
<InputClaim ClaimTypeReferenceId="hsu" PartnerClaimType="hsu" DefaultValue="1" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="prompt" DefaultValue="{OIDC:prompt}" AlwaysUseDefaultValue="true" />
</InputClaims>
Sign in to comment