azure b2c saml logout url

0
votes

I created azure b2c custom policy using SAML flow and cannot find documentation what logout url should I use on SP side. What I see in saml policy metadata xml:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signin_saml/samlp/sso/logout"/>

it does not work with my SP (zendesk) and shows error after logout redirect: AADB2C99046: The logout request does not include a session index. I investigated saml logout request and it does not contain session index element. As I understand SAML standard documentation SessionIndex is optional.

Is there any way to fix log out functionality with SAML?

here is the answer from Microsoft support:

After analyzed your request with our technical advisors and additional resources, we got a confirmation that for your particular setup which is having your B2C actuate as SAML Token Provider, the SessionIndex along with NameID is a must and needs to be provided by your Service Provider.

I know it is hard to track what requirements usually needs the setups in B2C by having the information spread everywhere but in Azure AD B2C the following are the two scenarios supported:

  1. Have Azure AD B2C acting as an IdP and achieving SSO with SAML-based Service Providers
  2. Have Azure AD B2C acting as a service provider (SP) and interacting with SAML-based identity providers like SalesForce and ADFS.

The first scenario (1), that one you have, it requires your custom policy to setup your SAML token issuer, along with the SAMLSSOSessionProvider the TechnicalProfile named as SM-Saml-Issuer. SAML session logout will not work then without your SessionIndex and NameID attributes coming from your SP.

This is the only way to achieve a successful SAML logout call from your Service Provider.

Let me know if you have any questions, I can then review this and forward it to our experts if necessary.

Best regards,
_____________________________________________________ Victor J. Hernandez | Support Engineer | Azure Support

1
samlazure-ad-b2csaml-2.0zendesk
Did you try removing the session index claim from the SAML SSO session management technical provider? - Jas Suri - MSFT
I tried, if I set to false (default is true) it just does not send session index on first saml request - sergey sahon
Hi @sergeysahon are you still looking for any help - Raghavendra beldona
@Raghavendra-MSFTIdentity I got response from microsoft support that SAML logout request without session index is not supported - sergey sahon
Hi @sergeysahon Thanks for letting us know. Can you please Provide the answer below so that it will be helpful for the others in the community - Raghavendra beldona

1 Answers

0
votes

Most SPs using SAML will create their own session after you are authenticated. This session is only used by the SP that set it up. To do this, logout must do the following: delete all SP sessions.

The only truly reliable way to completely log out of SAML SSO is to delete all sessions, including identity provider sessions and all service provider sessions. Normally, this can be done simply by closing the browser.