While directing the user to the endsessionendpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. As the document in the your question said,if you have multiple applications and policies in your B2C tenant, you can manage user interactions across them using the Single sign-on configuration property.

• Single Sign-on Configuration B2c
• B2c Single Sign On Yahoo

[AZURE.INCLUDE active-directory-b2c-preview-note]

This feature gives you fine-grained control, on a per-policy basis, of:

1. Lifetimes of security tokens emitted by Azure Active Directory (Azure AD) B2C.
2. Lifetimes of web application sessions managed by Azure AD B2C.
3. Single sign-on (SSO) behavior across multiple apps and policies in your B2C tenant.

You can use this feature in your B2C tenant as follows:

1. Follow these steps to navigate to the B2C features blade on the Azure portal.
2. Click Sign-in policies. Note: You can use this feature on any policy type, not just on Sign-in policies.
3. Open a policy by clicking it. For example, click on B2C_1_SiIn.
4. Click Edit at the top of the blade.
5. Click Token, session & single sign-on config.
6. Make your desired changes. Learn about available properties in subsequent sections.
7. Click OK.
8. Click Save on the top of the blade.

Token lifetimes configuration

Azure AD B2C supports the OAuth 2.0 authorization protocol for enabling secure access to protected resources. To implement this support, Azure AD B2C emits various security tokens. These are the properties you can use to manage lifetimes of security tokens emitted by Azure AD B2C:

• Access & ID token lifetimes (minutes): The lifetime of the OAuth 2.0 bearer token used to gain access to a protected resource. Azure AD B2C issues only ID tokens at this time. This value would apply to access tokens as well, when we add support for them.
  • Default = 60 minutes.
  • Minimum (inclusive) = 15 minutes.
  • Maximum (inclusive) = 1440 minutes.
• Refresh token lifetime (days): The maximum time period before which a refresh token can be used to acquire a new access or ID token (and optionally, a new refresh token, if your application had been granted the offline_access scope).
  • Default = 14 days.
  • Minimum (inclusive) = 1 day.
  • Maximum (inclusive) = 90 days.
• Refresh token sliding window lifetime (days): After this time period elapses the user is forced to re-authenticate, irrespective of the validity period of the most recent refresh token acquired by the application. It can only be provided if the switch is set to Bounded. It needs to be greater than or equal to the Refresh token lifetime (days) value. If the switch is set to Unbounded, you cannot provide a specific value.
  • Default = 90 days.
  • Minimum (inclusive) = 1 day.
  • Maximum (inclusive) = 365 days.

These are a couple of use cases that you can enable using these properties:

• Allow a user to stay signed into a mobile application indefinitely, as long as he or she is continually active on the application. You can do this by setting the Refresh token sliding window lifetime (days) switch to Unbounded in your sign-in policy.
• Meet your industry's security and compliance requirements by setting the appropriate access token lifetimes.

Session configuration

Azure AD B2C supports the OpenID Connect authentication protocol for enabling secure sign-in to web applications. These are the properties you can use to manage web application sessions:

• Web app session lifetime (minutes): The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
  • Default = 1440 minutes.
  • Minimum (inclusive) = 15 minutes.
  • Maximum (inclusive) = 1440 minutes.
• Web app session timeout: If this switch is set to Absolute, the user is forced to re-authenticate after the time period specified by Web app session lifetime (minutes) elapses. If this switch is set to Rolling (the default setting), the user remains signed in as long as the user is continually active in your web application.

These are a couple of use cases that you can enable using these properties:

• Meet your industry's security and compliance requirements by setting the appropriate web application session lifetimes.
• Force re-authentication after a set time period during a user's interaction with a high-security part of your web application.

Single sign-on (SSO) configuration

If you have multiple applications and policies in your B2C tenant, you can manage user interactions across them using the Single sign-on configuration property. You can set the property to one of the following settings:

• Tenant: This is the default setting. Using this setting allows multiple applications and policies in your B2C tenant to share the same user session. For example, once a user signs into an application, Contoso Shopping, he or she can also seamlessly sign into another one, Contoso Pharmacy, upon accessing it.
• Application: This allows you to maintain a user session exclusively for an application, independent of other applications. For example, if you want the user to sign in to Contoso Pharmacy (with the same credentials), even if he or she is already signed into Contoso Shopping, another application on the same B2C tenant.
• Policy: This allows you to maintain a user session exclusively for a policy, independent of the applications using it. For example, if the user has already signed in and completed a multi factor authentication (MFA) step, he or she can be given access to higher-security parts of multiple applications as long as the session tied to the policy doesn't expire.
• Disabled: This forces the user to run through the entire user journey on every execution of the policy. For example, this will allow multiple users to sign up to your application (in a shared desktop scenario), even while a single user remains signed in during the whole time.

 Secure Single sign-on (SSO) Between Domains with Azure Active Directory B2C

azure

Users expect to instantly log into apps and navigate between domains without having to retype credentials but implementing SSO from scratch is not unlike reinventing the wheel. We must think about security, performance, managing user sessions, and a host of other things.

Cloud-based IDPs, like Azure Active Directory B2C (AAD B2C), claim that they enable developers to add SSO, MFA, secure storage for user data, and even integrate with other IDPs without the need to write any code. Let’s take a closer look at AAD B2C and try to figure out how much effort you will need to use it and whether it is the right solution for your apps.

What is Azure Active Directory B2C (AAD B2C)?

AAD B2C is a cloud identity provider service, based on Azure Active Directory and available in Microsoft Azure Cloud. AAD B2C can be used to:

• Enable customers to create user accounts, securely log into applications, reset passwords, and manage profiles
• Enable customers to authenticate with social and/or corporate credentials (Facebook, Google, Twitter, ADFS, Active Directory, Salesforce, etc.)
• Enable customers to seamlessly navigate between applications using a single identity (SSO)
• Enable multi-factor authentication, implement a secure password policy
• Grant authorized access to web APIs for applications and users

What application types does AAD B2C support?

AAD B2C is not restricted to any particular language or platform and works with most modern application architectures — web, mobile, desktop, SPA, and web APIs. AAD B2C employs industry standard protocols, such as OAuth 2.0 or OpenID Connect to authenticate users.

How does AAD B2C authenticate users?

Single Sign-on Configuration B2c

AAD B2C works as a cloud-based extension for apps. Unauthenticated users are redirected to MS Azure where they can log in and/or sign up for a new account. After a successful login, AAD B2C issues a token and returns the user back to the original application. If SSO is enabled, users can continue to other applications in the “pool” with the same token. AAD B2C gives developers full flexibility to customize all authentication steps, as well as the look and feel of the login/signup experience.

How secure is AAD B2C?

If your apps are using AAD B2C, Microsoft is responsible for the entire authentication process, from accepting and validating user input, to safely storing user data in Azure Active Directory. The registered applications are only responsible for accepting and validating access tokens.

AAD B2C authentication is based on JSON Web Tokens (JWTs) — an open standard (RFC 7519) for securely sending information between parties inside compact, digitally signed tokens.

Do I need to rewrite my applications to use AAD B2C?

Applications using AAD B2C must be able to do two things: redirect users to AAD B2C and accept/validate JWT tokens that it generates. These are the only changes that must be implemented and there are dozens of libraries (for .NET, Java, PHP, Python, JavaScript, etc.) to help you with that. All the complex logic related to accepting and sanitizing user input, querying user DBs, managing SSO sessions, etc. is handled by AAD B2C.

All features, including SSO, MFA, and integrations with social/corporate IDPs can be configured in the UI. AAD B2C also provides advanced tools to build highly customized authentication experiences and integrate with arbitrary IDPs and even APIs.

What does a typical implementation process look like?

The implementation typically involves three steps:

• Architecture planning. On the planning stage, an Azure professional reviews existing apps and designs an appropriate architecture for the AAD B2C service. They may also provide guidance on what changes will be required to the code.
• Implementation. During the implementation stage, an AAD B2C service is created and configured in MS Azure Cloud. In case the apps are not directory-aware, the logic for accepting and validating JWT tokens is implemented too.
• User migration. During the migration stage, if that is required by the project, users are moved from existing data storage into the AAD B2C directory. AAD B2C does not have to store users in the cloud and can do federated authentication, e.g. via existing ADFS.

Still not sure if AAD B2C is suitable for your use case? Contact one of our representatives.

B2c Single Sign On Yahoo