question

RoshanTolwani-5644 avatar image
0 Votes"
RoshanTolwani-5644 asked RandyWiemer-9766 commented

Single Logout between one OpenId App and Saml App

Hi All,

We have created one Web App(using ASP.NET Core 3.1) that uses Open ID protocol to authenticate with Azure AD B2C.
and one another web app that uses SAML protocol to authenticate with Azure AD B2C( https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-user-flow )

We want to achieve SLO ( Single Logout) between these two apps i.e if user sign out from one app it should automatically sign you out from other app.

Is it possible? If yes, how to achieve the same. We are using custom policies for sign up and sign in.

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft converted comment to answer

Hello @roshantolwani-5644, SLO is possible in Azure AD B2C. The protocol (OIDC or SAML) do not matter as they rely on the same mechanism and resources for managing the user session. Please follow the steps detailed in Configure your custom policy and let us know if you need additional assistance.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RoshanTolwani-5644 avatar image RoshanTolwani-5644 ·

Hi @alfredorevilla-msft


We have two different custom policies for Sign-In, one for SAML and one for Open ID.
When we Sign-out from one, it doesn't Sign-out from the other app. Single logout works between two open-id apps and two saml-apps but it doesn't work between open-id app and saml app.

Please let me know if anything extra needs to be done if we are using multiple authentication protocols.


0 Votes 0 ·
RoshanTolwani-5644 avatar image RoshanTolwani-5644 ·

Hi @alfredorevilla-msft

We are using custom policy from starter pack (SocialAndLocalAccountsWithMfa) and for SAML integration we are using below link
saml-service-provider

As mentioned below we have created two asp.net core apps that uses different protocols(OIDC and SAML) for authentication with Azure AD B2C.

Single Sign In is working but Single Logout is not working between open id app and saml app.
Please let us know if anything extra needs to be done to achieve single logout


0 Votes 0 ·
RandyWiemer-9766 avatar image RandyWiemer-9766 ·

I am able to reproduce this same behavior. I can achieve SLO for multiple SAML apps along with the B2C session and I can achieve SLO for multiple OIDC apps along with the B2C session but the SAML logout fails to tell the OIDC applications to logout and the OIDC logout fails to tell the SAML apps to logout. In Fiddler I can see the iframe process make the calls to the logouts but it handles SAML or OIDC applications but not both.

0 Votes 0 ·
RandyWiemer-9766 avatar image
0 Votes"
RandyWiemer-9766 answered RandyWiemer-9766 commented

After more experimenting I have gotten SLO to work between OIDC and SAML apps. It only works when the policies share a common base file. If the SAML and OIDC policies are wholly independent then SLO fails but if they share a base it works. This is in spite of the SSO scope to be Tenant.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image alfredorevilla-msft ·

Hello @randywiemer-9766, thanks for sharing such information. I will reach the B2C team to get their comments about this and come back ASAP.

0 Votes 0 ·
RandyWiemer-9766 avatar image RandyWiemer-9766 alfredorevilla-msft ·

The logoff process is more specific than just sharing a common base policy. My testing is showing that for a SAML logoff to cause a logoff to an OIDC app the SAML policy must contain a dormant jwt issuer tech profile and the oauth session manager and the names of these otherwise unused TPs must exactly match the names of the TPs used in the OIDC policy. This holds true going the other way as well. In order for an OIDC logoff to cause a SAML logoff the OIDC policy must include a dormant SAML issuer and SAML session management policy with the exact same names as the names of the TPs in the SAML policy.

The easy way to establish this pattern is to have the OIDC and SAML policies chain to a common base holding these TPs. However, this is not the standard pattern we've been using. Instead we create an OIDC policy that holds everything needed for OIDC and if we need SAML we create a SAML veneer over the top of the OIDC policy adding and changing the specific differences needed to support SAML.

We will need to rethink this pattern. Another reason we will need to rethink this is because we are now supporting custom refresh journeys and this requires an Endpoints element in the relying party that cannot be present in a SAML policy. The inheritance model does not allow us to remove this element which makes maintaining a SAML policy derived from our OIDC policies much harder.

0 Votes 0 ·