Reputation: 33
Single-Sign Out on Azure AD B2C
I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Upvotes: 3
Views: 3591
Answers (3)
Reputation: 955
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
UPDATE
Azure AD B2C now supports Single Logout (SLO) in certain cases and may not actually work with registered SPA applications. Please check official documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Upvotes: 2
Reputation: 11
The suggested answer was from 3 years ago.
Please have a read here. https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.
Upvotes: 1
Reputation: 1
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
Upvotes: 0
Related Questions
- Azure B2C Logout implementation in ASP.NET Core?
- Azure ADB2C Single Sign Out W/ Azure AD as Identity Provider
- Single sign-out in ASP.NET Core OpenID Connect
- Azure AD B2c signout issue
- Azure B2C sign all users out
- Azure AD B2C Single Logout implementation
- Azure B2C not signing out from external Identity provider
- Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
- Azure AD Sign Out
- Issue with logout on Azure AD B2C and ASP.NET Core