Signout Behaviour change in Custom POlicy and Builtin user flow.

Saqib Ahmed 46 Reputation points
2020-06-24T06:51:33.853+00:00

Hi, I am having this strange issue with my Custom Policies…. Based on SocialAndLocalAccountsWithMfa starter pack.
The behaviour that we are looking for is as follows and is achieved with User flows is
When the user sign-outs form the application and then hits sign in again, he should be prompted for a reauthentication.
But when I use the same app to execute custom Policy it will reauthenticate without entering creds.
I have adjusted the <UserJourneyBehaviors> but nothing.
I added and changed following in

<UserJourneyBehaviors>  
      <SingleSignOn Scope="Policy" KeepAliveInDays="7" />  
      <SessionExpiryType>Rolling</SessionExpiryType>  
      <SessionExpiryInSeconds>900</SessionExpiryInSeconds>  
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="your-application-insights-key" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" /-->  
</UserJourneyBehaviors>  

is there a way to check if there is a failure to sign out for the user or any way to debug the issue? Or way to change the behaviour?

The application goes to the logouturl when the user hits the Signout form application.

  1. Request URL:
    https://mytenanct.b2clogin.com/mytenanct.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44316%2F&x-client-SKU=ID_NET451&x-client-ver=5.4.0.0
  2. Request Method:
    GET
  3. Status Code:
    200 OK

Following is the url when user Clicks SignIn from the application and get logged in without authentication.

  1. Request URL:
    https://mytenanct.b2clogin.com/mytenanct.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize?client_id=ac8ca2c8-4cc3-43e3-8fd3-dcd592557f99&redirect_uri=https%3A%2F%2Flocalhost%3A44316%2F&response_mode=form_post&response_type=code%20id_token&scope=openid%20profile%20offline_access%20https%3A%2F%2FMYTENANCT.onmicrosoft.com%2Fdemoapi%2Fread%20https%3A%2F%2FMYTENANCT.onmicrosoft.com%2Fdemoapi%2Fwrite&state=OpenIdConnect.AuthenticationProperties%3Du1frIXk828jwoiEmCMuqTDTomxyjWAjDSV2---SUMJX7jDgjnKFPX4iO5VEbXPGHVgHA6GcLzPWjooSpDcTxM9iAoRUGXxDbyhBCLexjWNEMG7dqSu-wa2AqntAbcV1a0mk9dykGyrypS8gsuPtbNPvkgO_8YRuYSlRiJy8tYSA&nonce=637285777554418842.MjY2ZmVjYmEtMDY0ZS00ZTljLTk0MDUtMzk2MzkxODAyODUyZjc0NTkxZGEtN2I5YS00ODViLThkZTYtMWIwMjUyNjg3ZTc2&x-client-SKU=ID_NET451&x-client-ver=5.4.0.0
  2. Request Method:
    GET
  3. Status Code:
    200 OK

Any Help will be highly appreciated to track it down or change the behaviour

I have also configured Single-Signout following this article but doesn’t change the behaviour. https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior-custom-policy#single-sign-out

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,757 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-07-09T20:38:49.85+00:00

    Set SessionExpiryType to Absolute. You can also add the prompt=login query parameter to your request to force re-authentication.