I have two application configured with FRONT CHANNEL LOGOUT but AzureB2C does not seem to be triggering Single Sign Out

Anjam Tahir 0 Reputation points
2024-11-20T15:22:02.5033333+00:00

I have two applications configured in AzureB2C

  • A Web Application (ASP.NET Web Forms application) - APP 1
  • A SPA Application (Angular client side) - APP 2

For both applications I have enabled the front channel logout URL .

When I login into APP 1 and then open APP 2 in another browser tab I am automatically logged in to APP 2. This is exactly what I would expect i.e. Single Sign In

However when I logout of APP 1 . I can not see the HTTP GET request to the logout page for APP 2 being triggered and expected this to be triggered by AzureB2C to log me out of APP 2 . Hence I am still logged into APP 2 .

Why would the HTTP GET request to the logout URL for APP 2 not be triggered ?

I have followed the documentation and have configured the Front Channel logout URL for both and in both applications when the logout is user triggered I am passing the id_token_hint set to the id_token to allow azureb2c to verify the logout URL for each application.

Reference : https://learn.microsoft.com/en-gb/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow

Has anyone come across this issue ? Any help in understanding what I may have missed would be greatly appreciated.

Many Thanks

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
728 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,646 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 13,965 Reputation points Microsoft Vendor
    2024-11-23T01:20:48.7633333+00:00

    Hi @Anjam Tahir

    Thank you for posting this in Microsoft Q&A.

    I understand that you have configured front-channel logout for both APP1 and APP2, but when you log out of APP1, you cannot see the HTTP GET request to the logout page for APP2 being triggered, and hence you are still logged into APP2.

    To clarify, when the user is redirected to the URI specified in the post_logout_redirect_uri parameter, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirects URIs before performing the redirect, if a valid id_token_hint is passed and the "Require ID Token in logout requests" is turned on. As you mentioned, you are already passing the id_token_hint set to the id_token to allow Azure AD B2C to verify the logout URL for each application. I would recommend double-checking this configuration.

    Additionally, it is important to check whether third-party cookies are blocked. Many browsers are increasingly restricting third-party cookies for privacy reasons, which can impact the ability of applications to communicate logout events effectively across different domains or applications. Without third-party cookies, when a user logs out of one application, the front-channel logout mechanism may not propagate the logout event to other applications that rely on those cookies to identify the session. This means that existing access tokens for other applications for the same user will continue to be valid until their expiration time, and the user may still appear as logged in to those applications.

    For more information: how to handle third-party cookie blocking in browsers

    https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#limitations-on-front-channel-logout-without-third-party-cookies

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.