Michele changes + release notes

Author: yoelhor

articles/active-directory-b2c/TOC.yml

@@ -76,8 +76,8 @@
     href: user-overview.md
   - name: User profile attributes
     href: user-profile-attributes.md
-  - name: Session
-    href: session.md
+  - name: SSO sessions
+    href: session-overview.md
 - name: How-to guides
   items:
   - name: App integration

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/30/2020
+ms.date: 04/28/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -130,7 +130,7 @@ Custom policy/Identity Experience Framework capabilities are under constant and
 | [Default SSO session provider](custom-policy-reference-sso.md#defaultssosessionprovider) |  |  | X |  |
 | [External login session provider](custom-policy-reference-sso.md#externalloginssosessionprovider) |  |  | X |  |
 | [SAML SSO session provider](custom-policy-reference-sso.md#samlssosessionprovider) |  |  | X |  |
-
+| [OAuthSSOSessionProvider](custom-policy-reference-sso.md#oauthssosessionprovider)  |  | X |  |  |
 
 ### Security
 

articles/active-directory-b2c/custom-policy-reference-sso.md

@@ -160,6 +160,7 @@ The following `SM-Saml-issuer` technical profile is used by [SAML issuer technic
   <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
 </TechnicalProfile>
 ```
+
 #### Metadata
 
 | Attribute | Required | Description|
@@ -170,4 +171,4 @@ The following `SM-Saml-issuer` technical profile is used by [SAML issuer technic
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session.md).
+- Learn more about [Azure AD B2C session](session-overview.md).

articles/active-directory-b2c/media/session/session.png renamed to articles/active-directory-b2c/media/session-overview/sso-session-types.png

@@ -145,7 +145,7 @@ grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&sco
 | {tenant} | Yes | Name of your Azure AD B2C tenant |
 | {policy} | Yes | The user flow that was used to acquire the authorization code. You can't use a different user flow in this request. Add this parameter to the query string, not to the POST body. |
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
-| client_secret | Yes, in Web Apps | The application secret that was generated in the [Azure portal](https://portal.azure.com/). Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. For Native App (public client) scenarios, client secrets cannot be securely stored, threfore not used on this flow. If using a client secret, please change it on a periodic basis. |
+| client_secret | Yes, in Web Apps | The application secret that was generated in the [Azure portal](https://portal.azure.com/). Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. For Native App (public client) scenarios, client secrets cannot be securely stored, therefore not used on this flow. If using a client secret, please change it on a periodic basis. |
 | code | Yes | The authorization code that you acquired in the beginning of the user flow. |
 | grant_type | Yes | The type of grant, which must be `authorization_code` for the authorization code flow. |
 | redirect_uri | Yes | The `redirect_uri` parameter of the application where you received the authorization code. |
@@ -258,7 +258,7 @@ Error responses look like:
 
 ## Send a sign-out request
 
-When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again. For more information, see [Azure AD B2C session](session.md).
+When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again. For more information, see [Azure AD B2C session](session-overview.md).
 
 To sign out the user, redirect the user to the `end_session` endpoint that is listed in the OpenID Connect metadata document described earlier:
 

articles/active-directory-b2c/openid-connect.md

@@ -58,4 +58,4 @@ The following use cases are enabled using these properties:
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session.md).
+- Learn more about [Azure AD B2C session](session-overview.md).

articles/active-directory-b2c/session-behavior.md

@@ -0,0 +1,116 @@
+---
+title: SSO sessions in Azure Active Directory B2C | Microsoft Docs
+description: Configure session behavior in Azure Active Directory B2C.
+services: active-directory-b2c
+author: msmimart
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 04/28/2019
+ms.author: mimart
+ms.subservice: B2C
+---
+
+# Azure AD B2C session
+
+Single sign-on (SSO) adds security and convenience when users sign in across applications in Azure Active Directory B2C (Azure AD B2C). This article describes the single sign-on methods used in Azure AD B2C and helps you choose the most appropriate SSO method when configuring your policy.
+
+With single sign-on, users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or single page application, regardless of platform or domain name.
+
+When the user initially signs in to an application, Azure AD B2C persists a cookie-based session. Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again.  
+
+## SSO session types
+
+Integration with Azure AD B2C involves three types of SSO sessions:
+
+- **Azure AD B2C** - Session managed by Azure AD B2C
+- **Federated identity provider** - Session managed by the identity provider, for example Facebook, Salesforce, or Microsoft account
+- **Application** - Session managed by the web, mobile, or single page application
+
+![SSO session](media/session-overview/sso-session-types.png)
+
+### Azure AD B2C SSO 
+
+When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. The cookie is stored under the Azure AD B2C tenant domain name, such as `https://contoso.b2clogin.com`.
+
+If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.
+
+You can configure the session behavior, including the session TTL and how Azure AD B2C shares the session across policies and applications.
+
+### Federated identity provider SSO
+
+A social or enterprise identity provider manages its own session. The cookie is stored under the identity provider's domain name, such as `https://login.salesforce.com`. Azure AD B2C doesn't control the federated identity provider session. Instead, session behavior is determined by the federated identity provider. 
+
+Consider the following scenario:
+
+1. A user signs into Facebook to check their feed.
+2. Later, the user opens your application and starts the sign-in process. The application redirects the user to Azure AD B2C to complete the sign-in process.
+3. On the Azure AD B2C sign-up or sign-in page, the user choses to sign-in with their Facebook account. The user is redirected to Facebook. If there is an active session at Facebook, the user is not prompted to provide their credentials and is immediately redirected to Azure AD B2C with a Facebook token.
+
+### Application SSO
+
+A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.
+
+The application session can be a cookie-based session stored under the application domain name, such as `https://contoso.com`. Mobile applications might store the session in a different way but using a similar approach.
+
+## Azure AD B2C session configuration
+
+### Session scope
+
+The Azure AD B2C session can be configured with the following scopes:
+
+- **Tenant** - This setting is the default. Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one upon accessing it.
+- **Application** - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.
+- **Policy** - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
+- **Suppressed** - This setting forces the user to run through the entire user flow upon every execution of the policy.
+
+### Session life time
+
+The **session life time** is the amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. You can set the session life time to a value between 15 and 720 minutes.
+
+### Keep me signed-in
+
+The **keep me signed-in** feature extends the session life time through the use of a persistent cookie. The session remains active after the user closes and reopens the browser. The session is revoked only when a user signs out. The keep me signed-in feature only applies to sign-in with local accounts.
+
+The keep me signed-in feature takes precedence over the session life time. If the keep me signed-in feature is enabled and the user selects it, this feature dictates when the session will expire. 
+
+### Session expiry type
+
+The **session expiry type** indicates how a session is extended by the session life time setting or the keep me signed-in setting.
+
+- **Rolling** - Indicates that the session is extended every time the user performs a cookie-based authentication (default).
+- **Absolute** - Indicates that the user is forced to re-authenticate after the time period specified.
+
+## Sign-out
+
+When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You must redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to re-authenticate to your applications without entering their credentials again.
+
+Upon a sign-out request, Azure AD B2C:
+
+1. Invalidates the Azure AD B2C cookie-based session.
+2. Attempts to sign-out from federated identity providers. This currently unconfigurable.
+   1. OpenId Connect - if the well-known configuration end point specifies `end_session_endpoint` location.
+   2. SAML - if the IDP metadata contains the `SingleLogoutService` location.
+3. Optionally, sign-out from other applications. For more information, see the [Single sign-out](#single-sign-out) section.
+
+> [!NOTE]
+> The sign-out clears the user's single sign-on state with Azure AD B2C, but it may not sign the user out of their social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they may reauthenticated without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.
+
+### Single sign-out
+
+When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to.
+
+Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the Azure portal:
+
+1. Navigate to the [Azure portal](https://portal.azure.com).
+2. Choose your Active B2C by clicking on your account in the top right corner of the page.
+3. From the left hand navigation panel, choose **Azure Active B2C**, then choose **App registrations** and select your application.
+4. Click on **Settings**, then **Properties** and find the **Logout URL** text box. 
+
+
+## Next steps
+
+- Learn how to [configure session behavior in user flow](session-behavior.md).
+- Learn how to [configure session behavior in custom policy](custom-policy-manage-sso-and-token-config.md#session-behavior-and-sso).