MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/configure-authentication-sample-angular-spa-app.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/configure-authentication-sample-angular-spa-app.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/enable-authentication-angular-spa-app.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory-b2c/enable-authentication-angular-spa-app.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory-b2c/openid-connect.md
Lines changed: 8 additions & 6 deletions b/‎articles/active-directory-b2c/openid-connect.md
Lines changed: 8 additions & 6 deletions
diff --git a/‎articles/active-directory-b2c/saml-service-provider-options.md
Lines changed: 8 additions & 7 deletions b/‎articles/active-directory-b2c/saml-service-provider-options.md
Lines changed: 8 additions & 7 deletions
diff --git a/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 12 additions & 14 deletions b/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 12 additions & 14 deletions
diff --git a/‎articles/active-directory-b2c/session-behavior.md
Lines changed: 32 additions & 7 deletions b/‎articles/active-directory-b2c/session-behavior.md
Lines changed: 32 additions & 7 deletions
@@ -145,7 +145,7 @@ export const b2cPolicies = {
 export const msalConfig: Configuration = {
      auth: {
          clientId: '<your-MyApp-application-ID>',
-         authority: b2cPolicies.authorities.signUpSignIn.
+         authority: b2cPolicies.authorities.signUpSignIn,
          knownAuthorities: [b2cPolicies.authorityDomain],
          redirectUri: '/', 
      },
 
@@ -107,12 +107,12 @@ export const b2cPolicies = {
 export const msalConfig: Configuration = {
      auth: {
          clientId: '<your-MyApp-application-ID>',
-         authority: b2cPolicies.authorities.signUpSignIn.
+         authority: b2cPolicies.authorities.signUpSignIn,
          knownAuthorities: [b2cPolicies.authorityDomain],
          redirectUri: '/', 
      },
      cache: {
-         cacheLocation: BrowserCacheLocation.LocalStorage,.
+         cacheLocation: BrowserCacheLocation.LocalStorage,
          storeAuthStateInCookie: isIE, 
      },
      system: {
@@ -129,7 +129,7 @@ export const msalConfig: Configuration = {
 export const protectedResources = {
   todoListApi: {
     endpoint: "http://localhost:5000/api/todolist",
-    scopes: ["https://your-tenant-namee.onmicrosoft.com/api/tasks.read"],
+    scopes: ["https://your-tenant-name.onmicrosoft.com/api/tasks.read"],
   },
 }
 export const loginRequest = {
 
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/20/2021
+ms.date: 10/05/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -267,9 +267,9 @@ Error responses look like:
 
 ## Send a sign-out request
 
-When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again. For more information, see [Azure AD B2C session](session-behavior.md).
+When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again. For more information, see [Azure AD B2C session behavior](session-behavior.md).
 
-To sign out the user, redirect the user to the `end_session` endpoint that is listed in the OpenID Connect metadata document described earlier:
+To sign out the user, redirect the user to the `end_session_endpoint` that is listed in the OpenID Connect metadata document described earlier:
 
 ```http
 GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2F
@@ -278,11 +278,13 @@ GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/
 | Parameter | Required | Description |
 | --------- | -------- | ----------- |
 | {tenant} | Yes | Name of your Azure AD B2C tenant |
-| {policy} | Yes | The user flow that has been used in authorization request. For example, if user signed-in with the `b2c_1_sign_in` user flow, specify the `b2c_1_sign_in` in the sign-out request. |
+| {policy} | Yes | The user flow that has been used in the authorization request. For example, if the user signed-in with the `b2c_1_sign_in` user flow, specify `b2c_1_sign_in` in the sign-out request. |
 | id_token_hint| No | A previously issued ID token to pass to the logout endpoint as a hint about the end user's current authenticated session with the client. The `id_token_hint` ensures that the `post_logout_redirect_uri` is a registered reply URL in your Azure AD B2C application settings. For more information, see [Secure your logout redirect](#secure-your-logout-redirect). |
 | client_id | No* | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application.<br><br>\**This is required when using `Application` isolation SSO configuration and _Require ID Token_ in logout request is set to `No`.* |
 | post_logout_redirect_uri | No | The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message. Unless you provide an `id_token_hint`, you should not register this URL as a reply URL in your Azure AD B2C application settings. |
-| state | No | If a `state` parameter is included in the request, the same value should appear in the response. The application should verify that the `state` values in the request and response are identical. |
+| state | No | If a `state` parameter is included in the authorization request, the same value will be returned in the response to the `post_logout_redirect_uri`. The application should verify that the `state` values in the request and response are identical. |
+
+Upon a sign-out request, Azure AD B2C invalidates the Azure AD B2C cookie-based session, and attempts to sign out from federated identity providers. For more information, see [Single sign-out](session-behavior.md?pivots=b2c-custom-policy#single-sign-out).
 
 ### Secure your logout redirect
 
@@ -292,4 +294,4 @@ To set the required ID Token in logout requests, see [Configure session behavior
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session-behavior.md).
+- Learn more about [Azure AD B2C session](session-behavior.md).
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/05/2021
+ms.date: 10/05/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -83,7 +83,7 @@ The following example shows metadata for a SAML service provider, with `WantAsse
 
 ```xml
 <EntityDescriptor ID="id123456789" entityID="https://samltestapp2.azurewebsites.net" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-  <SPSSODescriptor  WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  <SPSSODescriptor WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   ...
   </SPSSODescriptor>
 </EntityDescriptor>
@@ -152,7 +152,7 @@ To configure the encryption method for encrypting the copy of the key that was u
 - `Rsa15` (default): RSA Public Key Cryptography Standard (PKCS) Version 1.5 algorithm.
 - `RsaOaep`: RSA Optimal Asymmetric Encryption Padding (OAEP) encryption algorithm.  
 
-The metadata controls the value of the  `<EncryptedKey>` element in the SAML response.
+The metadata controls the value of the `<EncryptedKey>` element in the SAML response.
 
 The following example shows the `EncryptedAssertion` section of a SAML assertion. The encrypted data method is `Aes128`, and the encrypted key method is `Rsa15`.
 
@@ -222,15 +222,16 @@ To enable IdP-initiated flow, set the `IdpInitiatedProfileEnabled` metadata item
 
 To sign in or sign up a user through IdP-initiated flow, use the following URL:
 
-```
-https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/generic/login?EntityId=app-identifier-uri 
+```http
+https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/generic/login?EntityId=<app-identifier-uri>&RelayState=<relay-state> 
 ```
 
 Replace the following values:
 
 * Replace `<tenant-name>` with your tenant name.
 * Replace `<policy-name>` with the name of your SAML relying party policy.
-* Replace `app-identifier-uri` with the `identifierUris` value in the metadata file, such as `https://contoso.onmicrosoft.com/app-name`.
+* Replace `<app-identifier-uri>` with the `identifierUris` value in the metadata file, such as `https://contoso.onmicrosoft.com/app-name`.
+* [Optional] replace `<relay-state>` with a value included in the authorization request that also is returned in the token response. The `relay-state` parameter is used to encode information about the user's state in the app before the authentication request occurred, such as the page they were on.
 
 ### Sample policy
 
@@ -394,4 +395,4 @@ By using these tools, you can check the integration between your application and
 <!-- LINKS - External -->
 [samltest]: https://aka.ms/samltestapp
 
-::: zone-end
+::: zone-end
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/20/2021
+ms.date: 10/05/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -34,7 +34,7 @@ In this article, learn how to connect your Security Assertion Markup Language (S
 
 Organizations that use Azure AD B2C as their customer identity and access management solution might require integration with applications that authenticate by using the SAML protocol. The following diagram shows how Azure AD B2C serves as an *identity provider* (IdP) to achieve single-sign-on (SSO) with SAML-based applications.
 
-![Diagram with Azure Active Directory B 2 C as an identity provider on the left and as a service provider on the right.](media/saml-service-provider/saml-service-provider-integration.png)
+![Diagram with Azure Active Directory B2C as an identity provider on the left and as a service provider on the right.](media/saml-service-provider/saml-service-provider-integration.png)
 
 1. The application creates a SAML AuthN request that's sent to the SAML login endpoint for Azure AD B2C.
 2. The user can use an Azure AD B2C local account or any other federated identity provider (if configured) to authenticate.
@@ -175,7 +175,7 @@ Now that your policy can create SAML responses, you must configure the policy to
 
 1. Open the *SignUpOrSigninSAML.xml* file in your preferred editor.
 
-1. Change the `PolicyId` and `PublicPolicyUri` values of the policy to `_B2C_1A_signup_signin_saml_` and `http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml`.
+1. Change the `PolicyId` and `PublicPolicyUri` values of the policy to `B2C_1A_signup_signin_saml` and `http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml`.
 
     ```xml
     <TrustFrameworkPolicy
@@ -345,7 +345,7 @@ Using the SAML test application as an example, you'd use the following value for
 
 You can configure the reply URL to which Azure AD B2C sends SAML responses. Reply URLs can be configured in the application manifest. This configuration is useful when your application doesn't expose a publicly accessible metadata endpoint.
 
-The reply URL for a SAML application is the endpoint at which the application expects to receive SAML responses. The application usually provides this URL in the metadata document under the `AssertionConsumerServiceUrl` attribute, as shown in this example:
+The reply URL for a SAML application is the endpoint at which the application expects to receive SAML responses. The application usually provides this URL in the metadata document as the `Location` attribute of the `AssertionConsumerService` element, as shown in this example:
 
 ```xml
 <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
@@ -354,7 +354,7 @@ The reply URL for a SAML application is the endpoint at which the application ex
 </SPSSODescriptor>
 ```
 
-If you want to override the metadata provided in the `AssertionConsumerServiceUrl` attribute or the URL isn't present in the metadata document, you can configure the URL in the manifest under the `replyUrlsWithType` property. The `BindingType` value will be set to `HTTP POST`.
+If the application's metadata `AssertionConsumerService` element is missing, or you want to override it, configure the application registration manifest `replyUrlsWithType` property. Azure AD B2C uses the `replyUrlsWithType` to redirect users after they're signed in using the `HTTP-POST` binding type.
 
 Using the SAML test application as an example, you'd set the `url` property of `replyUrlsWithType` to the value shown in the following JSON snippet:
 
@@ -369,20 +369,18 @@ Using the SAML test application as an example, you'd set the `url` property of `
 
 #### Override or set the logout URL (optional)
 
-You can configure the logout URL to which Azure AD B2C will send the user after a logout request. Reply URLs can be configured in the application manifest.
-
-If you want to override the metadata provided in the `SingleLogoutService` attribute or the URL isn't present in the metadata document, you can configure it in the manifest under the `Logout` property. The `BindingType` value will be set to `Http-Redirect`.
-
-The application usually provides this URL in the metadata document under the `AssertionConsumerServiceUrl` attribute, as shown in the following example:
+The logout URL defines where to redirect the user after a logout request. The application usually provides this URL in the metadata document as the `Location` attribute of the `SingleLogoutService` element, as shown in the following example:
 
 ```xml
-<IDPSSODescriptor WantAuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
 
-</IDPSSODescriptor>
+</SPSSODescriptor>
 ```
 
-Using the SAML test application as an example, you'd leave `logoutUrl` set to `https://samltestapp2.azurewebsites.net/logout`:
+If the application's metadata `SingleLogoutService` element is missing, configure the application registration manifest `logoutUrl` property. Azure AD B2C uses the `logoutURL` to redirect users after they're signed out using the `HTTP-Redirect` binding type.
+
+Using the SAML test application as an example, you'd set the `logoutUrl` property to `https://samltestapp2.azurewebsites.net/logout`:
 
 ```json
 "logoutUrl": "https://samltestapp2.azurewebsites.net/logout",
@@ -436,4 +434,4 @@ The following SAML application scenarios are supported via your own metadata end
 <!-- LINKS - External -->
 [samltest]: https://aka.ms/samltestapp
 
-::: zone-end
+::: zone-end
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/20/2021
+ms.date: 10/05/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -60,7 +60,7 @@ Consider the following scenario:
 
 ### Application session
 
-A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.
+A web, mobile, or single page application can be protected by an OAuth2 access token, ID token, or SAML token. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to the Azure AD B2C sign-in page.
 
 The application session can be a cookie-based session stored under the application domain name, such as `https://contoso.com`. Mobile applications might store the session in a different way but using a similar approach.
 
@@ -243,7 +243,7 @@ Upon a sign-out request, Azure AD B2C:
 
 ::: zone pivot="b2c-user-flow"
 1. Invalidates the Azure AD B2C cookie-based session.
-1. Attempts to sign out from federated identity providers
+1. Attempts to sign out from federated identity providers.
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"
@@ -262,11 +262,13 @@ The sign-out clears the user's single sign-on state with Azure AD B2C, but it mi
 
 ::: zone pivot="b2c-custom-policy"
 
-### Single sign-out 
+## Single sign-out 
 
-When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to.
+When you redirect the user to the [Azure AD B2C sign-out endpoint](openid-connect.md#send-a-sign-out-request) (for both OAuth2 and OpenID Connect) or send a `LogoutRequest` (for SAML), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To sign the user out of all applications which have an active session, Azure AD B2C supports *single sign-out*, also known as *Single Log-Out (SLO)*.
 
-Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you want to support single sign-out in your application, you must implement a `LogoutUrl` in your application's code. 
+During the sign-out, Azure AD B2C simultaneously sends an HTTP request to the registered logout URL of all the applications that the user is currently signed in to.
+
+### Configure your custom policy
 
 To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:
 
@@ -312,6 +314,29 @@ The following example illustrates the JWT and SAML token issuers with single sig
 </ClaimsProvider>
 ```
 
+### Configure your application
+
+In order for an application to participate in single sign-out:
+
+- For [SAML service providers](saml-service-provider.md), configure the application with the [SingleLogoutService location in its SAML metadata document](saml-service-provider.md#override-or-set-the-logout-url-optional). You can also configure the app registration `logoutUrl`. For more information, see [set the logout URL](saml-service-provider.md#override-or-set-the-logout-url-optional).
+- For OpenID Connect or OAuth2 applications, set the `logoutUrl` attribute of your app registration manifest. To configure the logout url:
+    1. From the Azure AD B2C menu, select **App registrations**.
+    1. Select your application registration.
+    1. Under **Manage**, select **Authentication**.
+    1. Under the **Front-channel logout URL**, configure your logout URL.
+
+### Handling single sign-out requests
+
+When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to. Note, the application that triggers the sign-out request will not get this log-out message. Your applications must respond to the sign-out request by clearing the application session that identifies the user.
+
+- For OpenID Connect and OAuth2 applications, Azure AD B2C sends an HTTP GET request to the registered logout URL.
+- For SAML applications, Azure AD B2C sends a SAML logout request to the registered logout URL.
+
+When all applications have been notified of the log-out, Azure AD B2C will do one of the following:
+
+- For OpenID Connect or OAuth2 applications, the user is redirected to the requested `post_logout_redirect_uri` including the (optional) `state` parameter specified in the initial request. For example `https://contoso.com/logout?state=foo`.
+- For SAML applications, a SAML logout response is sent via HTTP POST to the application that initially sent the logout request.
+
 ::: zone-end
 
 ### Secure your logout redirect
@@ -361,4 +386,4 @@ To configure your application Logout URL:
 
 ## Next steps
 
-- Learn how to [configure tokens in Azure AD B2C](configure-tokens.md).
+- Learn how to [configure tokens in Azure AD B2C](configure-tokens.md).