在 Azure Active Directory B2C 中配置会话行为Configure session behavior in Azure Active Directory B2C

开始之前,请使用上面的选择器选择要配置的策略类型。Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C 提供了两种定义用户如何与应用程序交互的方法:通过预定义的用户流,或者通过完全可配置的自定义策略Azure AD B2C offers two methods of defining how users interact with your applications: though predefined user flows, or through fully configurable custom policies. 对于每种方法,本文中所需的步骤都不同。The steps required in this article are different for each method.

当用户在 Azure Active Directory B2C (Azure AD B2C) 中登录到应用程序时,单一登录 (SSO) 可以提高安全性和便利性。Single sign-on (SSO) adds security and convenience when users sign in across applications in Azure Active Directory B2C (Azure AD B2C). 本文介绍 Azure AD B2C 中使用的单一登录方法,并在配置策略时帮助你选择最适合的 SSO 方法。This article describes the single sign-on methods used in Azure AD B2C and helps you choose the most appropriate SSO method when configuring your policy.

借助单一登录,用户可以使用单个帐户登录一次,然后即可访问多个应用程序。With single sign-on, users sign in once with a single account and get access to multiple applications. 应用程序可以是 Web、移动或单页应用程序,不管它们的平台或域名如何。The application can be a web, mobile, or single page application, regardless of platform or domain name.

当用户最初登录到应用程序时,Azure AD B2C 会保留一个基于 Cookie 的会话。When the user initially signs in to an application, Azure AD B2C persists a cookie-based session. 收到后续的身份验证请求后,Azure AD B2C 会读取并验证该基于 Cookie 的会话,然后颁发访问令牌,且不提示用户重新登录。Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. 如果基于 Cookie 的会话过期或失效,则系统会提示用户重新登录。If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again.

先决条件Prerequisites

Azure AD B2C 会话概述Azure AD B2C session overview

与 Azure AD B2C 的集成涉及到三种类型的 SSO 会话:Integration with Azure AD B2C involves three types of SSO sessions:

  • Azure AD B2C - 由 Azure AD B2C 管理的会话Azure AD B2C - Session managed by Azure AD B2C
  • 联合标识提供者 - 由标识提供者(例如 Salesforce)管理的会话Federated identity provider - Session managed by the identity provider, for example Salesforce
  • 应用程序 - 由 Web、移动或单页应用程序管理的会话Application - Session managed by the web, mobile, or single page application

SSO 会话

Azure AD B2C 会话Azure AD B2C session

当用户使用本地帐户或社交帐户成功完成身份验证时,Azure AD B2C 会在用户的浏览器中存储一个基于 Cookie 的会话。When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. Cookie 存储在 Azure AD B2C 租户域名(例如 https://contoso.b2clogin.cn)下。The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.cn.

如果用户最初使用联合帐户登录,然后在会话时间窗口(生存时间,简称 TTL)内登录到相同或不同的应用,则 Azure AD B2C 会尝试从联合标识提供者获取新的访问令牌。If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. 如果联合标识提供者会话已过期或失效,则联合标识提供者会提示用户输入其凭据。If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. 如果会话仍处于活动状态(或者用户已使用本地帐户而不是联合帐户登录),则 Azure AD B2C 将为用户授权并消除进一步的提示。If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.

可以配置会话行为,包括会话 TTL,以及 Azure AD B2C 如何在策略和应用程序之间共享会话。You can configure the session behavior, including the session TTL and how Azure AD B2C shares the session across policies and applications.

联合标识提供者会话Federated identity provider session

社交或企业标识提供者需管理其自己的会话。A social or enterprise identity provider manages its own session. Cookie 存储在标识提供者的域名(例如 https://login.salesforce.com)下。The cookie is stored under the identity provider's domain name, such as https://login.salesforce.com. Azure AD B2C 不会控制联合标识提供者会话。Azure AD B2C doesn't control the federated identity provider session. 会话行为由联合标识提供者确定。Instead, session behavior is determined by the federated identity provider.

应用程序会话Application session

可以通过 OAuth 访问、ID 令牌或 SAML 令牌来保护 Web、移动或单页应用程序。A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. 当用户尝试访问应用中某个受保护的资源时,应用会检查应用程序端是否存在活动的会话。When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. 如果不存在应用会话或者会话已过期,则应用会将用户转到 Azure AD B2C 登录页。If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.

应用程序会话可以是存储在应用程序域名(例如 https://contoso.com)下的基于 Cookie 的会话。The application session can be a cookie-based session stored under the application domain name, such as https://contoso.com. 移动应用程序可能会通过一种不同的方式(但使用类似的方法)存储会话。Mobile applications might store the session in a different way but using a similar approach.

配置 Azure AD B2C 会话行为Configure Azure AD B2C session behavior

可以配置 Azure AD B2C 会话行为,包括:You can configure the Azure AD B2C session behavior, including:

  • Web 应用会话生存期(分钟) - 是指成功完成身份验证后,将 Azure AD B2C 会话 Cookie 存储在用户浏览器中的时间量。Web app session lifetime (minutes) - The amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. 可以将会话生存期设置为最多 24 小时。You can set the session lifetime up to 24 hours.

  • Web 应用会话超时 - 指示如何通过会话生存期设置或“使我保持登录状态 (KMSI)”设置来使会话延期。Web app session timeout - Indicates how a session is extended by the session lifetime setting or the Keep me signed in (KMSI) setting.

    • 滚动 - 指示每当用户执行基于 Cookie 的身份验证时都延长会话(默认值)。Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default).
    • 绝对 - 指示在指定的时间段后强制用户重新进行身份验证。Absolute - Indicates that the user is forced to re-authenticate after the time period specified.
  • 单一登录配置 - 可为 Azure AD B2C 会话配置以下范围:Single sign-on configuration - The Azure AD B2C session can be configured with the following scopes:

    • 租户 - 这是默认设置。Tenant - This setting is the default. 使用此设置允许 B2C 租户中的多个应用和用户流共享相同的用户会话。Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. 例如,一旦用户登录到某个应用程序,就还可以在访问该应用程序时无缝登录到另一个应用程序。For example, once a user signs into an application, the user can also seamlessly sign into another one upon accessing it.
    • 应用程序 - 此设置允许为某个应用程序维持独占式用户会话(独立于其他应用程序)。Application - This setting allows you to maintain a user session exclusively for an application, independent of other applications. 例如,如果你希望无论用户是否已登录到 Contoso Groceries,他们都能够登录到 Contoso Pharmacy,则可以使用此设置。For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.
    • 策略 - 此设置为某个用户流维持独占式用户会话(独立于使用它的应用程序)。Policy - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. 例如,如果用户已登录并完成多重身份验证 (MFA) 步骤,那么只要绑定到用户流的会话未过期,该用户就可以访问多个应用程序的具有较高安全性的部分。For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
    • 已禁用 - 此设置强制用户在每次执行策略时都要运行完整的用户流。Disabled - This setting forces the user to run through the entire user flow upon every execution of the policy.
  • 使我保持登录状态 (KMSI) - 通过使用持续性 Cookie 来延长会话生存期。Keep me signed in (KMSI) - Extends the session lifetime through the use of a persistent cookie. 如果启用了此功能且用户选择了它,那么即使在用户关闭并重新打开浏览器后,会话也将保持活动状态。If this feature is enabled and the user selects it, the session remains active even after the user closes and reopens the browser. 仅当用户注销后才撤销该会话。KMSI 功能仅适用于使用本地帐户进行的登录。The session is revoked only when the user signs out. The KMSI feature only applies to sign-in with local accounts. KMSI 功能优先于会话生存期。The KMSI feature takes precedence over the session lifetime.

配置会话行为:To configure the session behavior:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“用户流”。Select User flows.
  5. 打开之前创建的用户流。Open the user flow that you previously created.
  6. 选择“属性”。Select Properties.
  7. 根据需要配置 Web 应用会话生存期(分钟)Web 应用会话超时单一登录配置在注销请求中需要 ID 令牌Configure Web app session lifetime (minutes), Web app session timeout, Single sign-on configuration, and Require ID Token in logout requests as needed.
  8. 单击“保存” 。Click Save.

若要更改会话行为和 SSO 配置,需要在 RelyingParty 元素内添加 UserJourneyBehaviors 元素。To change your session behavior and SSO configurations, you add a UserJourneyBehaviors element inside of the RelyingParty element. UserJourneyBehaviors 元素必须紧跟在 DefaultUserJourney 之后。The UserJourneyBehaviors element must immediately follow the DefaultUserJourney. UserJourneyBehavors 元素应当如以下示例所示:Your UserJourneyBehavors element should look like this example:

<UserJourneyBehaviors>
   <SingleSignOn Scope="Application" />
   <SessionExpiryType>Absolute</SessionExpiryType>
   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>

启用“使我保持登录状态 (KMSI)”Enable Keep me signed in (KMSI)

可以为在 Azure AD B2C 目录中拥有本地帐户的 Web 和本机应用程序的用户启用 KMSI 功能。You can enable the KMSI feature for users of your web and native applications who have local accounts in your Azure AD B2C directory. 该功能启用时,用户能够选择保持登录状态,这样当他们关闭浏览器后会话也保持活动状态。When you enable the feature, users can opt to stay signed in so the session remains active after they close the browser. 于是他们重新打开浏览器时系统不会提示他们重新输入用户名和密码。Then they can reopen the browser without being prompted to reenter their username and password. 当用户注销时,会撤销此访问权限。This access is revoked when a user signs out.

显示“使我保持登录状态”复选框的示例注册登录页

仅可在单个用户流级别配置 KMSI。KMSI is configurable at the individual user flow level. 为用户流启用 KMSI 之前,请注意以下几点:Before enabling KMSI for your user flows, consider the following:

  • 只有建议版本的注册和登录 (SUSI)、登录以及配置文件编辑用户流才支持 KMSI。KMSI is supported only for the Recommended versions of sign-up and sign-in (SUSI), sign-in, and profile editing user flows. 如果当前你的这些用户流版本是标准版或者旧预览 - v2 版,并且你想启用 KMSI,那么需要针对这些用户流创建新的建议版本 。If you currently have Standard or Legacy preview - v2 versions of these user flows and want to enable KMSI, you'll need to create new, Recommended versions of these user flows.
  • 密码重置或注册用户流不支持 KMSI。KMSI is not supported with password reset or sign-up user flows.
  • 如果要为租户中的所有应用程序启用 KMSI,建议为租户中的所有用户流启用 KMSI。If you want to enable KMSI for all applications in your tenant, we recommend that you enable KMSI for all user flows in your tenant. 由于会话过程中可以向用户显示多个策略,因此他们可能会遇到未启用 KMSI 的策略,这将从会话中删除 KMSI Cookie。Because a user can be presented with multiple policies during a session, it's possible they could encounter one that doesn't have KMSI enabled, which would remove the KMSI cookie from the session.
  • 不应在公用计算机上启用 KMSI。KMSI should not be enabled on public computers.

为用户流配置 KMSIConfigure KMSI for a user flow

为用户流启用 KMSI:To enable KMSI for your user flow:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 请确保使用的是包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant. 选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录  。Select the Directory + subscription filter in the top menu and choose the directory that contains your Azure AD B2C tenant.

  3. 选择 Azure 户左上角的“所有服务”,然后搜索并选择“Azure AD B2C”    。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  4. 选择“用户流(策略)”  。Select User flows (policies).

  5. 打开之前创建的用户流。Open the user flow that you previously created.

  6. 选择“属性”  。Select Properties.

  7. 在“会话行为”下选择“启用‘使我保持登录会话状态’”  。Under  Session behavior, select Enable keep me signed in session. 在“使我保持登录会话状态(天)”旁边输入一个介于 1 到 90 之间的值,指定会话可以保持打开状态的天数。Next to Keep me signed in session (days), enter a value from 1 to 90 to specify the number of days a session can remain open.

    启用“使我保持登录会话状态”

用户不应在公用计算机上启用此选项。Users should not enable this option on public computers.

配置页面标识符Configure the page identifier

若要启用 KMSI,请将内容定义 DataUri 元素设置为 页面标识符 unifiedssp 并将 页面版本设置为 1.1.0 或更高版本。To enable KMSI, set the content definition DataUri element to page identifier unifiedssp and page version 1.1.0 or above.

  1. 打开策略的扩展文件。Open the extension file of your policy. 例如 SocialAndLocalAccounts/TrustFrameworkExtensions.xmlFor example, SocialAndLocalAccounts/TrustFrameworkExtensions.xml. 此扩展文件是自定义策略初学者包中包含的策略文件之一,你在先决条件自定义策略入门中应该已获取了该包。This extension file is one of the policy files included in the custom policy starter pack, which you should have obtained in the prerequisite, Get started with custom policies.

  2. 搜索 BuildingBlocks 元素。Search for the BuildingBlocks element. 如果该元素不存在,请添加该元素。If the element doesn't exist, add it.

  3. ContentDefinitions 元素添加到策略的 BuildingBlocks 元素。Add the ContentDefinitions element to the BuildingBlocks element of the policy.

    你的自定义策略应当如以下代码片段所示:Your custom policy should look like the following code snippet:

    <BuildingBlocks>
      <ContentDefinitions>
        <ContentDefinition Id="api.signuporsignin">
          <DataUri>urn:com:microsoft:aad:b2c:elements:unifiedssp:1.1.0</DataUri>
        </ContentDefinition>
      </ContentDefinitions>
    </BuildingBlocks>
    

将元数据添加到自断言技术配置文件Add the metadata to the self-asserted technical profile

若要将 KMSI 复选框添加到注册和登录页,请将 setting.enableRememberMe 元数据设置为 true。To add the KMSI checkbox to the sign-up and sign-in page, set the setting.enableRememberMe metadata to true. 覆盖扩展文件中的 SelfAsserted-LocalAccountSignin-Email 技术配置文件。Override the SelfAsserted-LocalAccountSignin-Email technical profiles in the extension file.

  1. 查找 ClaimsProviders 元素。Find the ClaimsProviders element. 如果该元素不存在,请添加该元素。If the element doesn't exist, add it.
  2. 将以下声明提供程序添加到 ClaimsProviders 元素:Add the following claims provider to the ClaimsProviders element:
<ClaimsProvider>
  <DisplayName>Local Account</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <Metadata>
        <Item Key="setting.enableRememberMe">True</Item>
      </Metadata>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>
  1. 保存扩展文件。Save the extensions file.

配置信赖方文件Configure a relying party file

更新用于启动创建的用户旅程的信赖方 (RP) 文件。Update the relying party (RP) file that initiates the user journey that you created. keepAliveInDays 参数允许你配置“使我保持登录 (KMSI) 会话状态”Cookie 的持续时间。The keepAliveInDays parameter allows you to configure how the long the keep me signed in (KMSI) session cookie should persist. 例如,如果将值设置为 30,则 KMSI 会话 Cookie 将保留 30 天。For example, if you set the value to 30, then KMSI session cookie will persist for 30 days. 该值的范围为 1 到 90 天。The range for the value is from 1 to 90 days.

  1. 打开自定义策略文件。Open your custom policy file. 例如,SignUpOrSignin.xml。For example, SignUpOrSignin.xml.

  2. 如果它尚不存在,请将 <UserJourneyBehaviors> 子节点添加到 <RelyingParty> 节点。If it doesn't already exist, add a <UserJourneyBehaviors> child node to the <RelyingParty> node. 它必须紧跟在 <DefaultUserJourney ReferenceId="User journey Id" /> 之后,例如:<DefaultUserJourney ReferenceId="SignUpOrSignIn" />It must be located immediately after <DefaultUserJourney ReferenceId="User journey Id" />, for example: <DefaultUserJourney ReferenceId="SignUpOrSignIn" />.

  3. 将以下节点添加为 <UserJourneyBehaviors> 元素的子级。Add the following node as a child of the <UserJourneyBehaviors> element.

    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
    </UserJourneyBehaviors>
    

建议将 SessionExpiryInSeconds 的值设置为较短时间段(1200 秒),而将 KeepAliveInDays 的值设置为较长时间段(30 天),如下例所示:We recommend that you set the value of SessionExpiryInSeconds to be a short period (1200 seconds), while the value of KeepAliveInDays can be set to a relatively long period (30 days), as shown in the following example:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <UserJourneyBehaviors>
    <SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
    <SessionExpiryType>Absolute</SessionExpiryType>
    <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
  </UserJourneyBehaviors>
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
      <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

注销Sign-out

如果想要从应用程序中注销用户,只是清除应用程序的 Cookie 或者结束与用户的会话是不够的。When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. 必须将用户重定向到 Azure AD B2C 进行注销。否则,用户可能可以在应用程序中重新进行身份验证,且无需再次输入其凭据。You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

收到注销请求后,Azure AD B2C 将会:Upon a sign-out request, Azure AD B2C:

  1. 使 Azure AD B2C 基于 Cookie 的会话失效。Invalidates the Azure AD B2C cookie-based session.
  1. 尝试从联合标识提供者注销Attempts to sign out from federated identity providers
  1. 尝试从联合标识提供者注销:Attempts to sign out from federated identity providers:
    • OpenId Connect - 如果标识提供者的已知配置终结点指定了 end_session_endpoint 位置。OpenId Connect - If the identity provider well-known configuration endpoint specifies an end_session_endpoint location.
    • OAuth2 - 如果标识提供者元数据包含 end_session_endpoint 位置。OAuth2 - If the identity provider metadata contains the end_session_endpoint location.
    • SAML - 如果标识提供者元数据包含 SingleLogoutService 位置。SAML - If the identity provider metadata contains the SingleLogoutService location.
  2. 选择性地从其他应用程序注销。Optionally, signs-out from other applications. 有关详细信息,请参阅单一注销部分。For more information, see the Single sign-out section.

备注

可以通过将标识提供者技术配置文件元数据 SingleLogoutEnabled 设置为 false 来禁用从联合标识提供者注销。You can disable the sign out from federated identity providers, by setting the identity provider technical profile metadata SingleLogoutEnabled to false.

注销会清除用户在 Azure AD B2C 中的单一登录状态,但可能不会将用户从其社交标识提供者会话中注销。The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. 如果用户在后续登录期间选择相同的标识提供者,那么他们可以重新进行身份验证,且无需输入其凭据。If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. 如果用户想要注销应用程序,并不一定意味着他们想要注销其帐户。If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their account. 但是,如果使用了本地帐户,则用户的会话将正常结束。However, if local accounts are used, the user's session ends properly.

单一登录Single sign-out

将用户重定向到 Azure AD B2C 注销终结点(适用于 OAuth2 和 SAML 协议)时,Azure AD B2C 将从浏览器中清除该用户的会话。When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. 但是,用户可能在其他使用 Azure AD B2C 进行身份验证的应用程序中仍处于已登录状态。However, the user might still be signed in to other applications that use Azure AD B2C for authentication. 要使这些应用程序能够同时注销用户,Azure AD B2C 会将 HTTP GET 请求发送到用户当前登录到的所有应用程序的已注册 LogoutUrlTo enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

应用程序必须通过清除任何标识用户的会话并返回 200 响应来响应此请求。Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. 若要在应用程序中支持单一注销,必须在应用程序代码中实现 LogoutUrlIf you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

若要支持单一注销,JWT 和 SAML 的令牌颁发者技术配置文件必须指定以下内容:To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:

  • 协议名称,例如 <Protocol Name="OpenIdConnect" />The protocol name, such as <Protocol Name="OpenIdConnect" />
  • 对会话技术配置文件的引用,例如 UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />.

下面的示例演示了单一注销的 JWT 和 SAML 令牌颁发者:The following example illustrates the JWT and SAML token issuers with single sign-out:

<ClaimsProvider>
  <DisplayName>Local Account SignIn</DisplayName>
  <TechnicalProfiles>
    <!-- JWT Token Issuer -->
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT token Issuer</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      ...    
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for OIDC based tokens -->
    <TechnicalProfile Id="SM-OAuth-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>

    <!--SAML token issuer-->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>SAML token issuer</DisplayName>
      <Protocol Name="SAML2" />
      <OutputTokenFormat>SAML2</OutputTokenFormat>
      ...
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for SAML based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

保护注销重定向Secure your logout redirect

注销后,用户将重定向到 post_logout_redirect_uri 参数中指定的 URI,而不管为应用程序指定的回复 URL 为何。After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the reply URLs that have been specified for the application. 但是,如果传递了有效的 id_token_hint 并启用了“要求在注销请求中提供 ID 令牌”,则在执行重定向之前,Azure AD B2C 将验证 post_logout_redirect_uri 的值是否与应用程序的某个已配置重定向 URI 相匹配。However, if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirect URIs before performing the redirect. 如果没有为应用程序配置匹配的回复 URL,则会显示一条错误消息,而用户不会重定向。If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected.

要求在注销请求中提供 ID 令牌:To require an ID Token in logout requests:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“用户流”。Select User flows.
  5. 打开之前创建的用户流。Open the user flow that you previously created.
  6. 选择“属性”。Select Properties.
  7. 启用“注销请求中需要 ID 令牌”。Enable the Require ID Token in logout requests.
  8. 返回到“Azure AD B2C”。Go back to Azure AD B2C.
  9. 选择“应用注册”,然后选择自己的应用程序。Select App registrations, and then select your application.
  10. 选择“身份验证”。Select Authentication.
  11. 在“注销 URL”文本框中,键入注销后重定向 URI,然后选择“保存” 。In the Logout URL text box, type your post logout redirect URI, and then select Save.

若要启用要求在注销请求中提供 ID 令牌,请在 RelyingParty 元素中添加 UserJourneyBehaviors 元素。To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the RelyingParty element. 然后,将 SingleSignOn 元素的 EnforceIdTokenHintOnLogout 设置为 trueThen set the EnforceIdTokenHintOnLogout of the SingleSignOn element to true. UserJourneyBehaviors 元素应当如以下示例所示:Your UserJourneyBehaviors element should look like this example:

<UserJourneyBehaviors>
  <SingleSignOn Scope="Tenant" EnforceIdTokenHintOnLogout="true"/>
</UserJourneyBehaviors>

配置应用程序注销 URL:To configure your application Logout URL:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“应用注册”,然后选择自己的应用程序。Select App registrations, and then select your application.
  5. 选择“身份验证”。Select Authentication.
  6. 在“注销 URL”文本框中,键入注销后重定向 URI,然后选择“保存” 。In the Logout URL text box, type your post logout redirect URI, and then select Save.

后续步骤Next steps