@harshithkashyap
Thanks for your feedback! We will investigate and update as appropriate.

@MarileeTurscak-MSFT Its been a couple of months. Do you have any update on this?

@MarileeTurscak-MSFT: Please assign this item to @mmacy who is now supporting Azure AD B2C.

Please reassign or close.

please-close

reassign:mmacy

@MarileeTurscak-MSFT or @FrankHu-MSFT, can one of you reopen this one for us, please? This still needs to be addressed. Thanks! -MM

EDIT: Please also add the B2C/subsvc tag (if you see this).

@FrankHu-MSFT can you add the B2C/subsvc label to this one?

Hi @harshithkashyap

The bug that forced the session cookie to expire, is now fixed. For local accounts, it abides the value set for KeepAliveInDays.

The configuration is the same as before. https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-kmsi-custom

Hi @harmand7, it indeed works for local accounts and we don't see any issues there. But this issue is related to KeepAliveInDays for social accounts. Along with local accounts, we also provide _Sign in with Microsoft_ option to allow customers to sign in with their organizational AAD/O365 accounts instead of requiring them to sign up with local accounts. There isn't a way a set KMSI or set session cookie expiration for social signins. The cookie is set to expire as soon as the browser is closed.

Hi @harshithkashyap, thanks for your patience on this.

The Azure AD B2C Session Cookie will always be evaluated first to determine if the user should be sent back to their federated IdP to do a new authentication. Only when both the Azure AD B2C session cookie and the federated IdP's session cookie are expired will the user have to re-enter their credentials at the federated IdP.

To prevent the user from having to go back to the federated IdP to authenticate, you can raise the AAD B2C session cookie lifetime beyond that of the federated IdP session cookie lifetime.

When using a Custom Policy, you can use the Session Management technical profile to make sure the federated IdP authentication is part of the session itself. See how we did this for the Google IdP with the use of SM-SocialLogin:

https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-custom-setup-goog-idp#add-a-claims-provider

<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

Add this line to the federated IdP technical profile to make sure its part of the Azure AD B2C session.

Thank you @mmacy for the reference. I just verified and can confirm that we already have SM-SocialLogin reference in the TechnicalProfile.

The following is the SSO cookie behavior with federated IdP. As you can see, the cookie is set to be thrown out when the session ends. If you'd be willing to share the custom policies, I'm curious to test out the Google IdP sign-in you've implemented since you mentioned you have it working.

@harshithkashyap Sorry for giving you false hope, Harshith, but after further investigation, it turns out that what you're attempting is not currently possible. This article applies _only_ to local accounts; KMSI is currently unsupported for external identity providers.

The article mentions this (admittedly, in a currently too-subtle and somewhat ambiguous manner):

I'll be updating this article immediately to be very explicit in stating that KMSI is applicable only to local accounts. Again, apologies for instilling false hope with my earlier comment. Doc update is on its way.

Thank you for the update @mmacy. Is there a repo where I can file this issue with the product team to get this feature implemented?

Sure thing, sorry for the inconvenience, @harshithkashyap. The official channel for feature requests is UserVoice:

UserVoice: Azure Active Directory B2C