azure-ad-b2cazure-ad-b2c-custom-policyidentity-experience-framework

Azure B2C: Issues with blocked iframe during signout on Federated Identity Provider


We are experiencing issues completing the sign out flow using Azure B2C with custom policies.

We have created a sample Enterprise Application in our Azure AD and set it up as a federated identity provider in our custom policies in the B2C environment, besides the sign out issue everything works as expected.

The sign out flow.

  1. The first step works well and the session is cleared on the B2C identity provider.
  2. We can see in the network tab that the correct endpoint is called on the federated identity provider, but this request is blocked (net::ERR_BLOCKED_BY_RESPONSE) I then checked the response header and found X-Frame-Options: DENY. I am unsure but to me it looks like the request is made from an iframe but is blocked.
  3. The user is redirected back to the app's post_logout_redirect_url

A workaround is to put the end_session_endpoint as the post_logout_redirect_url:

https://domain.b2clogin.com/domain.onmicrosoft.com/signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://login.microsoftonline.com/guid/oauth2/v2.0/logout?post_logout_redirect_url=https://app.com/callback.html

and that works fine.

Here is the technical profile


<TechnicalProfile Id="Company-OpenIdConnect">
   <DisplayName>Company</DisplayName>
   <Description>Company</Description>
   <Protocol Name="OpenIdConnect"/>
   <Metadata>
      <Item Key="METADATA">https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration</Item>
      <Item Key="client_id">guid</Item>
      <Item Key="response_types">code</Item>
      <Item Key="scope">openid profile</Item>
      <Item Key="response_mode">form_post</Item>
      <Item Key="HttpBinding">POST</Item>
      <Item Key="UsePolicyInRedirectUri">false</Item>
    </Metadata>
    ...
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>


Solution

  • This is expected, most IdPs will not allow to be rendered in an iframe for login or logout. Azure AD does not allow to be rendered in an iframe either, hence the logout does not complete.

    Your workaround causes a full page redirect, which will work, but the user experience maybe jarring.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out

    The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session.