Mleszek
Mleszek

Reputation: 51

Is it possible to force sign-out from external IdP federated with B2C

As of Microsoft documentation:

Sign-out When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

Upon a sign-out request, Azure AD B2C:

Invalidates the Azure AD B2C cookie-based session. ** Attempts to sign out from federated identity providers.**

The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.

What does it mean that B2C attempts to sign-out from federated identity providers? How does it try to accomplish the sign-out? Does it try to use the SingleLogoutService if provided in the federation SAML/OIDC metadata URL? Or some additional configuration on the B2C/Custom Policy side is needed?

I've (following the B2C documentation) added Salesforce and Auth0 federations to the custom policies. On signing out, the Azure AD B2C cookie-based session is invalidated. Though if I choose any of the federated IdPs to log in again I observe that this session is not invalidated since I am reathenticated without entering IdP credentials.

Is there a way to force sign-out from federated IdPs?

Upvotes: 2

Views: 1324

Answers (1)

Chad Hasbrook
Chad Hasbrook

Reputation: 221

https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out

This documentation walks you through how to attempt a sign out from federated identity provider. Review section:

The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.

Not all IdP's have to respect this - like social identity providers. It creates a strange behavior if you are attempting to sign-out a social identity provider like Facebook - I've seen many cases end users hate when they use their social IdP for multiple services and your service comes along and messes with their session.

Follow these steps:

  • OpenId Connect - If the identity provider well-known configuration endpoint specifies an end_session_endpoint location. The sign-out request doesn't pass the id_token_hint parameter. If the federated identity provider requires this parameter, the sign-out request will fail.

  • OAuth2 - If the identity provider metadata contains the end_session_endpoint location.

  • SAML - If the identity provider metadata contains the SingleLogoutService location.

What's going on behind the scenes is a front-channel logout via an iframe.

Upvotes: 0

Related Questions