CODEWITHSUNDEEP
azureazure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy
Christian Matthew
Christian Matthew

Reputation: 4349

Is it possible to use Single Sign-Out for Azure B2C SPA application? Where do you describe the logout URL

The Azure B2C documentation states that it supports Single Log Out (SLO) but I can't figure out how this works with a registered SPA application.

If one app is registered in B2C app1.mydomain.com and another app app2.mycomain.com As well, there is a Front-channel logout URL Which is described to be something that will log out the application specifically:

When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to. Note, the application that triggers the sign-out request will not get this log-out message. Your applications must respond to the sign-out request by clearing the application session that identifies the user.

  • For OpenID Connect and OAuth2 applications, Azure AD B2C sends an HTTP GET request to the registered logout URL.
  • For SAML applications, Azure AD B2C sends a SAML logout request to the registered logout URL.

This is a setting that is in the app registration and for SPA applications there is nothing that you can do to reference the "log out" url.

The front-channel logout URL is predefined as https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout

So if this is supposed to send an HTML iframe to "logout" of the other applications that it knows about. Where can you add the logout URL? It's not in the custom policy or flow.

Other documentation suggest this:

Yes, you need to manually clear the local storage or handle it using your application.

What does that mean? How can we manually clear the cookies if the functionality of the SLO can't work because it is not knowing about the logout URL's of the applications?

Can we edit the front-channel logout URL to our domains i.e. app1.mydomain.com/logout which then would do something to hit the endpoint and then redirect them to the original Front-Channel logout URL?

Or, do we have to run the checks on the token for each app upon browser refresh and silent refresh capabilities of B2C?

Upvotes: 1

Views: 2722

Answers (1)

Dave D
Dave D

Reputation: 8972

Configuration

Yes, you can set a per-application single-sign-out URL. The page you linked to contains details on how to do that for an app registration, it's in the section just before the one you linked to:

Configure your application

In order for an application to participate in single sign-out:

  • For SAML service providers, configure the application with the SingleLogoutService location in its SAML metadata document. You can also configure the app registration logoutUrl. For more information, see set the logout URL.
  • For OpenID Connect or OAuth2 applications, set the logoutUrl attribute of your app registration manifest. To configure the logout URL:
    1. From the Azure AD B2C menu, select App registrations.
    2. Select your application registration.
    3. Under Manage, select Authentication.
    4. Under the Front-channel logout URL, configure your logout URL.

1. From the Azure AD B2C menu, select App registrations

Azure AD B2C menu

2. Select your application registration.

Select app registration

3. Under Manage, select Authentication.

Select authentication

4. Under the Front-channel logout URL, configure your logout URL.

Configure logout URL

How it works

The way this then works is B2C keeps a record of each app that has signed in, when any one app signs out B2C will display a (blank) page that calls each single-sign-out URL for each other app in an iFrame. Each of those single-sign-out URLs should point to a sign-out URL in the relevant application so the application can clear its cookies/session storage as needed.

For example, if you configure the following single-sign-out URLs in the relevant B2C app registrations:

App URL
https://app1.com https://app1.com/sign-out
https://app2.com https://app2.com/done
https://app3.com https://app3.com/end-session

Then you'd see the following:

  1. Sign into https://app1.com
  2. Sign into https://app2.com
  3. Sign into https://app3.com
  4. Sign out of https://app2.com
    1. Redirect to https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout
      1. Display single-sign-out page
        1. Call https://app1.com/sign-out in iFrame
        2. Call https://app3.com/end-session in iFrame
      2. End B2C session
      3. Redirect back to app2
    2. End local session

Upvotes: 0

Related Questions