How to manage single account/session between user flows in Azure AD B2C

Question

I'm developing a single page application with React using MSAL library where the user signup and sign in to the account using the SignupSignin user flow on Azure B2C then initiate Profile Edit User flow.

But when I check the accounts in the initial SignupSignin flow as below

msalInstance.getAllAccounts()

I see only one account but once the Profile Edit flow is initiated 2nd account/session got created.

Is there a method we can use the same session created in the SignupSignin user flow in all the user flow policies in Azure AD B2C? I use the following method when initiating the profile edit user flow

  const request = {
    scopes: <scopes>,
    account: <account>,// initial account returned when **SignupSignin** flow initiated
    authority: <profileEdit.authority>
  };

  instance.loginRedirect(request).catch((e) => {
    console.error(e);
  });

Answer 1

How to manage single account/session between user flows in Azure AD B2C - Stack Overflow

To manage single account/session between user flows in Azure AD B2C:

• SSO (Single Sign on) method adds to manage single account / session between user flows in AAD B2C.

• Initial Sign In adds Azure AD B2C persists a cookie-based session

Integration with Azure AD B2C involves below type of SSO sessions:

• Application - Session managed by the web, mobile, or single page application The application session can be a cookie-based session stored under the application domain name, Example https://onepageapp.com

A single page application can be protected by OAuth access, ID tokens, or SAML tokens. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page

• Application - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign in to opepageapp.com regardless of whether the user is already signed into Onepageapp.

Keep me signed in (KMSI) - Extends the session lifetime through the use of a persistent cookie.

Note: XML files are available on the below reference link to set up the same.

Ref Link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out

Answer 2

No, you will always get a new account object in MSAL per User Flow/Custom Policy. This is because the Account objects are defined by the authority , and you will always have a different authority per User Flow. Thats because the authority contains the AAD B2C policy Id, which is always unique per User Flow.

In most cases you can ignore all the MSAL account objects other than your Sign Up/Sign In account object. The sample code uses the selectAccount() method to always fetch the account object that contains your Sign In/Up B2C Policy Id.

If you are concerned that your claims are updated in the Profile Edit account object VS the SUSI policy, then use the MSAL ssoSilent() method to perform a silent cookie based SSO against the SUSI policy, such that the SUSI account object is updated. Perform this on the call back method after Profile Edit completes.

Silent cookie based SSO will only work if your application is on the same root domain as AAD B2C. You must use a custom domain with AAD B2C for it to work, else modern browser protections will block this iFrame.