This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 15%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
Hi All,
We have created one Web App(using ASP.NET Core 3.1) that uses Open ID protocol to authenticate with Azure AD B2C.
and one another web app that uses SAML protocol to authenticate with Azure AD B2C( https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-user-flow )
We want to achieve SLO ( Single Logout) between these two apps i.e if user sign out from one app it should automatically sign you out from other app.
Is it possible? If yes, how to achieve the same. We are using custom policies for sign up and sign in.
Hello @Roshan Tolwani , SLO is possible in Azure AD B2C. The protocol (OIDC or SAML) do not matter as they rely on the same mechanism and resources for managing the user session. Please follow the steps detailed in Configure your custom policy and let us know if you need additional assistance.
Hi @Alfredo Revilla - Senior Freelance SWE, SWA, IAM
We have two different custom policies for Sign-In, one for SAML and one for Open ID.
When we Sign-out from one, it doesn't Sign-out from the other app. Single logout works between two open-id apps and two saml-apps but it doesn't work between open-id app and saml app.
Please let me know if anything extra needs to be done if we are using multiple authentication protocols.
Hi @Alfredo Revilla - Senior Freelance SWE, SWA, IAM
We are using custom policy from starter pack (SocialAndLocalAccountsWithMfa) and for SAML integration we are using below link
saml-service-provider
As mentioned below we have created two asp.net core apps that uses different protocols(OIDC and SAML) for authentication with Azure AD B2C.
Single Sign In is working but Single Logout is not working between open id app and saml app.
Please let us know if anything extra needs to be done to achieve single logout
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 28.999999999999996%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERW%3C/text%3E%3C/svg%3E)
I am able to reproduce this same behavior. I can achieve SLO for multiple SAML apps along with the B2C session and I can achieve SLO for multiple OIDC apps along with the B2C session but the SAML logout fails to tell the OIDC applications to logout and the OIDC logout fails to tell the SAML apps to logout. In Fiddler I can see the iframe process make the calls to the logouts but it handles SAML or OIDC applications but not both.
After more experimenting I have gotten SLO to work between OIDC and SAML apps. It only works when the policies share a common base file. If the SAML and OIDC policies are wholly independent then SLO fails but if they share a base it works. This is in spite of the SSO scope to be Tenant.
Hello @Randy Wiemer , thanks for sharing such information. I will reach the B2C team to get their comments about this and come back ASAP.
The logoff process is more specific than just sharing a common base policy. My testing is showing that for a SAML logoff to cause a logoff to an OIDC app the SAML policy must contain a dormant jwt issuer tech profile and the oauth session manager and the names of these otherwise unused TPs must exactly match the names of the TPs used in the OIDC policy. This holds true going the other way as well. In order for an OIDC logoff to cause a SAML logoff the OIDC policy must include a dormant SAML issuer and SAML session management policy with the exact same names as the names of the TPs in the SAML policy.
The easy way to establish this pattern is to have the OIDC and SAML policies chain to a common base holding these TPs. However, this is not the standard pattern we've been using. Instead we create an OIDC policy that holds everything needed for OIDC and if we need SAML we create a SAML veneer over the top of the OIDC policy adding and changing the specific differences needed to support SAML.
We will need to rethink this pattern. Another reason we will need to rethink this is because we are now supporting custom refresh journeys and this requires an Endpoints element in the relying party that cannot be present in a SAML policy. The inheritance model does not allow us to remove this element which makes maintaining a SAML policy derived from our OIDC policies much harder.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 3%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hello @Alfredo Revilla - Senior Freelance SWE, SWA, IAM , Were you able to get more information around it? We have same use case where one app is asp.net and another one is Angular.
I have not seen any response from Microsoft but the pattern I described above is working for us. SLO requires that each policy issuing tokens contain a copy of all the TPs that issue the tokens in scope for SLO as well as the SM TPs that cause the B2C cookies to be in the browser.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 18%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
We have the same use case here, but the difference is we wanted to put these SAML & OIDC enabled app in same session for SSO as well as SLO, is there any update on how to allow this using custom policies?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 90%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The B2C SSO cookie works across OIDC and SAML without any significant complications. SLO is much harder but can be made to work by ensuring that each policy involved has the entire set of token issuing TPs and session management TPs the user's browser has acquired tokens from. These TPs are effectively dormant during signin but are important when the policy is referenced during the logout process. The policy must have knowledge of the other issuing TPs to properly handle the logout process.