Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider

3
votes

AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.

Is it possible to do front-channel single logout initiated through OpenID Connect?

OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html

Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.

If so, how is that configured in Azure AD B2C with custom policies?

1
azure-ad-b2c

1 Answers

8
votes

Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.

That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.

For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.

All that said, you can still request support for this via the Azure AD B2C feedback forum.