question

MunazzaOsama-2843 avatar image
0 Votes"
MunazzaOsama-2843 asked MunazzaOsama-2843 commented

signed in user session persists and dont sign in to Azure AD B2C with different email(mentioned in invitation url)

i have a relying party application(web application) registered in AAD B2C and i am inviting the users to my groups in my tenant, for that, i sent the invitation url to them and user signup/sign in and enter in my application.
this process works perfectly if i test this flow in incognito window, but it saves my (inviter) credentials and on even clicking the invitation link this link dont sign up with the email mentioned in invitation rather it signs in with the already signed in(inviter) account.

any help would be much appriciated.

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered MunazzaOsama-2843 commented

Hi @MunazzaOsama-2843 · Thank you for reaching out.

In order to avoid SSO, you can use the Prompt parameter of OAuth protocol. By adding &prompt=login at the end of the Invitation URL, you can force the user to provide credentials and do an interactive sign-in.

Prompt Indicates the type of user interaction that is required. Possible values at this time are:

  1. prompt=login will force the user to enter their credentials on that request, negating single-sign on.

  2. prompt=none is the oppositeit will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an interaction_required error.

  3. prompt=consent will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.

  4. prompt=select_account will interrupt single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you for your response, i am already using prompt parameter in my invitation url, it do gives me sign in prompt with email prefilled as the invitation is for that email address specifically, and after sign in prompt i am getting id token for that invitee email, this is all desired in my case but thing gets wrongs after that is : it does not sign in using this id token(invitee) instead it signs in with token which is used already signed in with(inviter).
this scenerio occures only when i open the invitation url in same browser from which i (inviter) is already signed in.
everything goes ideal if invitation url is open in incognito window.

as i came to know, azure ad persists the inviter cookie session. which i need to remove/clear before trying to sign in from invitee account.but i dont know the exact way to do this.
any help in this would be much appriciated.
thanks

0 Votes 0 ·