Azure B2C SAML SLO drops passback parameter on return to SP, breaking downstream OAuth redirect in SMART-on-FHIR flow

Question

Azure B2C SAML SLO drops passback parameter on return to SP, breaking downstream OAuth redirect in SMART-on-FHIR flow

Jessica Salinas 0

A B2C SAML SLO round-trip is dropping a query parameter that an Epic MyChart SP relies on to complete an OAuth redirect after patient consent, as part of a SMART-on-FHIR standalone patient launch flow.

Failing redirect chain:

/mychart/Authentication/Saml/Logout?passBack=true&postlogoutmode=oauthredirect

` → 302 https://

Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-15T16:29:09.84+00:00
Hello Jessica Salinas

This behavior is usually not a platform regression in https://learn.microsoft.com/en-in/azure/active-directory-b2c/overview?

Arbitrary query parameters (such postlogoutmode=oauthredirect) are not guaranteed to be preserved during the logout round-trip by B2C SAML SLO. RelayState is the supported method for maintaining state

The observed behavior is consistent with B2C returning only the configured logout URL without the original query string if the SP (Epic MyChart) does not place the OAuth context into RelayState.

A custom policy modification may also have an impact on RelayState propagation or logout response construction, particularly for tenants utilizing bespoke logout journeys or SAML technical profiles.

Suggested verification:

Verify if RelayState is present in the outgoing SAML logout request.

Check to see if the B2C returns RelayState unaltered.

Review any recent custom policy updates related to SAML/logout/session management

Recommended fix:

Instead of using query-string passback during SAML SLO, maintain postlogoutmode=oauthredirect via RelayState.

Let me know if any further queries - feel free to reach out!

1 answer

Your answer

Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-15T16:29:09.84+00:00

Hello Jessica Salinas

This behavior is usually not a platform regression in https://learn.microsoft.com/en-in/azure/active-directory-b2c/overview?

Arbitrary query parameters (such postlogoutmode=oauthredirect) are not guaranteed to be preserved during the logout round-trip by B2C SAML SLO. RelayState is the supported method for maintaining state

The observed behavior is consistent with B2C returning only the configured logout URL without the original query string if the SP (Epic MyChart) does not place the OAuth context into RelayState.

A custom policy modification may also have an impact on RelayState propagation or logout response construction, particularly for tenants utilizing bespoke logout journeys or SAML technical profiles.

Suggested verification:

Verify if RelayState is present in the outgoing SAML logout request.

Check to see if the B2C returns RelayState unaltered.

Review any recent custom policy updates related to SAML/logout/session management

Recommended fix:

Instead of using query-string passback during SAML SLO, maintain postlogoutmode=oauthredirect via RelayState.

Let me know if any further queries - feel free to reach out!

Answer 1

The provided information only states that Azure AD B2C supports SAML SP-initiated and IdP-initiated flows and SAML-based SLO, but does not describe any behavior about preserving RelayState or arbitrary query parameters on SLO responses back to the SP. The context does not confirm whether B2C preserves or drops RelayState or other passback parameters during SAML SLO.
The context does not contain any information about changes in SAML SLO behavior over time or about specific custom policy updates that would alter how the SLO response is constructed.
The context does not document any mechanism in custom policies to echo arbitrary passback parameters on SLO responses (for example via RelayState mapping or custom claims) for SAML SLO. It only shows how to configure SAML SP applications (reply URL, logout URL) and how to troubleshoot SAML protocol messages using browser tools.

Given the available information, the only concrete guidance is to use SAML tracing tools (such as SAML DevTools, SAML-tracer, or browser dev tools) to inspect the actual SAMLRequest/SAMLResponse and confirm what, if anything, is being sent as RelayState or equivalent during the SLO round-trip, and to verify the SAML application’s configured logout URL in the B2C application registration.

References:

Share via

Azure B2C SAML SLO drops passback parameter on return to SP, breaking downstream OAuth redirect in SMART-on-FHIR flow

1 answer

Your answer