We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.
We want to support SSO and are using "tenant" scope, so that if user signs out of our app they are not signed out of their respective Azure AD and can still use it with other applications.
The issue is that if a user workstation is shared by multiple employees, which is a very likely scenario with our customers, if one user logs out of their application and then 2nd user tries to login, although I can see their tokens deleted from local storage, they are still able to sign-in with previous user token, without even being presented with a login prompt.
Is there a setting in MSAL.js or custom policies that would prevent that? I tried using prompt: 'login', but it didn't help, and then I read that it's not supported for external IDP providers in B2C.
Any suggestion would be welcome.