13

We are using a customer ASP.NET button to signout of our web app which uses ADFS for authentication. We've tried several options to try and get the app to signout properly but nothing seems to work.

It generally takes you to the signout page on the federation server which says you have been signed out properly but if you hit back you can still access the web app.

Tried: https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0&wreply={post-sign-out_landing_URL} etc

Has anyone got this to work properly?

Thanks for your time

leppie
  • 115,091
  • 17
  • 196
  • 297
JeremyBeadle
  • 683
  • 1
  • 8
  • 23

3 Answers3

9

As I understand you just redirect the user to the ADFS with the appropriate wssignout action. This won't delete the authentication cookie created for your application, so the user stays logged on.

I use the WSFederationAuthenticationModule to trigger federated signout:

string absoluteUrl = HttpContext.Request.Url.AbsoluteUri;
string replyUrl = absoluteUrl.Substring(0, absoluteUrl.LastIndexOf("/") + 1);
WSFederationAuthenticationModule.FederatedSignOut(null, new Uri(replyUrl));

I am replying back to the application because I want to be sure that the user is signed out.

Hope this helps.

shizik
  • 910
  • 6
  • 16
  • Thanks a lot. I added the code in the onclick event of the link button for my sign out and it works for me – Miller Sep 02 '13 at 11:21
  • How to add WSFederationAuthenticationModule in web.config? – Rohan Kumar Nov 06 '14 at 06:52
  • You need to add it in the modules collection either in `` or ``. If you are not sure add it on both places. Here is an example `` You can find more information on: http://goo.gl/iY8Dgv – shizik Nov 06 '14 at 11:24
  • @shizik I added it in `httpModules` and `modules`, also I added `section` in `configSections` to remove some errors which are preventing me to login([Source](http://msdn.microsoft.com/en-us/library/gg638734.aspx)). Then I added the 3 lines of your answer in `Signout.aspx.cs Page_Load Event`. Then I test my application but now I got the blank page after logout no errors or warning messages there. Now, What should I do. – Rohan Kumar Nov 07 '14 at 06:11
  • Is your Signout.aspx page protected, i.e. it doesn't allow anonymous requests. Because the idea, if I remember correctly, was when you are redirected back to the signout the system should redirect you automatically to the Login page. – shizik Nov 07 '14 at 19:51
2

We too had a similar problem. The solution which worked for us recommended to add an Endpoint in the relying party trust in ADFS 2.0 management console. Please follow the below steps:

  1. Add the signout URL in the google configuration (Advanced ) -> SSO -

    Log out URL = https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

  2. Go to the ADFS 2.0 Management console. Under the Endpoints tab, click Add

  3. Endpoint Type = SAML Logout, Binding = POST, URL = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0 You can set a response URL if you want it to redirect to another page but we like the ADFS site since it warns that you are logged off but you should still close your browser.

Karthik
  • 3,075
  • 3
  • 31
  • 61
2

For my apps,, using the "?wa=wsignout1.0" URL clears the application FedAuth cookies and the ADFS MSISAuth cookies.

You end up on the "You have signed out" page.

From there, the back button takes you back to the application but if you try and do anything, you are redirected to ADFS to sign in again.

rbrayb
  • 46,440
  • 34
  • 114
  • 174