Why doesn't my WIF output take me out of all RP websites?

The single character works correctly for my application and a number of other websites that use STS. When I log out of my application, I seem to be logged out of my site correctly; however, I can still access other applications that use the same STS without having to log in. Can anyone tell me what I am missing?

My application is calling everything under the sun trying to make it work, but the behavior is the same when I only call FederatedSignOut.

WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authModule.Issuer), new Uri(authModule.Realm));


Here is my STS exit code.

SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest(requestMessage, User, requestMessage.Reply, Response);


Is this a problem with STS or with my application? Could it be a configuration issue if logging out at least works for my application? Should I explicitly send the message "wsignoutcleanup1.0" to all RPs, or should ProcessSignOutRequest do this for me?


source to share

2 answers

As you probably guessed, both STS and your application create their own session cookie and they cannot touch each other's cookies, so you need the wsignoutcleanup1.0 message.

On the side of your application, only the FederatedSignOut () call is needed. It will delete your application session cookie for you before it redirects the STS, so anything else you have there is redundant.

Now, however, your STS should correctly receive and process an incoming wsignoutcleanup1.0 request at some output endpoint. It looks like you haven't. I would first confirm that this STS code actually hit. If it hit, but the STS session cookie remains, then something else is wrong.



According to the link , this is the structure of the logout url: https: // {DNS_name_of_RP_STS} {/adfs/ls/?wa=wsignout1.0&wreply= after logging in out_landing_URL}

Call it directly or redirect your answer to it.

Update: . Or you can create a URI using the SignOutRequestMessage object.

var fa = FederatedAuthentication.WSFederationAuthenticationModule;
var signOutRequestMessage = new SignOutRequestMessage(new Uri(fa.Issuer), fa.Realm);
var signOutURI = signOutRequestMessage.WriteQueryString();




All Articles