Logout from access control service with custom STS

3
votes

I'm using Windows azure access control service with custom STS. I can login to my application through ACS, but I have trouble with logout function. I've tried this code in my application.

        WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

        try
        {
            FormsAuthentication.SignOut();
        }
        finally
        {
            fam.SignOut(true);
        }
        Page.Response.Redirect("default.aspx");

But it seems that it logout the user from ACS but not from the custom STS. What should I do to logout from STS. Where could be the problem in the appliacation (RP), ACS or in STS?

I think that ACS should ask custom STS to logout the user, but it seems it doesnt do that. What I am missing?

2
windowsazureacs

2 Answers

5
votes

I have created a helper method for doing FederatedSignout, with comments in the code for what I discovered along the way (hth)

public static void FederatedSignOut(string reply = null)
{
   WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

   // Native FederatedSignOut doesn't seem to have a way for finding/registering realm for singout, get it from the FAM
   string wrealm = string.Format("wtrealm={0}", fam.Realm);

   // Create basic url for signout (wreply is set by native FederatedSignOut)
   string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(fam.Issuer, null, wrealm);

   // Check where to return, if not set ACS will use Reply address configured for the RP
   string wreply = !string.IsNullOrEmpty(reply) ? reply : (!string.IsNullOrEmpty(fam.Reply) ? fam.Reply : null);

   WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), !string.IsNullOrEmpty(wreply) ? new Uri(wreply) : null);

   // Remarks! Native FederatedSignout has an option for setting signOutUrl to null, even if the documentation tells otherwise.
   // If set to null the method will search for signoutUrl in Session token, but I couldn't find any information about how to set this. Found some Sharepoint code that use this
   // Michele Leroux Bustamante had a code example (from 2010) that also uses this form.
   // Other examples creates the signout url manually and calls redirect.

   // FAM has support for wsignoutcleanup1.0 right out of the box, there is no need for code to handle this.
   // That makes it even harder to understand why there are no complete FederatedSignOut method in FAM

   // When using native FederatedSignOut() no events for signout will be called, if you need this use the FAM SignOut methods instead.
}

This code is used in a standard RP library we created for Web SSO with ACS.

2
votes

The December 2012 update of ACS includes support for federated single sign-out:

Using the WS-Federation protocol. Web applications that use ACS to enable single sign-on (SSO) with identity providers using the WS-Federation protocol can now take advantage of single sign out capabilities. When a user signs out of a web application, ACS can automatically sign the user out of the identity provider and out of other relying party applications that use the same identity provider.

This feature is enable for WS-Federation identity providers, including Active Directory Federation Services 2.0 and Windows Live ID (Microsoft account). To enable single sign out, ACS performs the following tasks for WS-Federation protocol endpoints:

  • ACS recognizes wsignoutcleanup1.0 messages from identity providers and responds by sending wsignoutcleanup1.0 messages to relying party applications.

  • ACS recognizes wsignout1.0 and wreply messages from relying party applications and responds by sending wsignout1.0 messages to identity providers and wsignoutcleanup1.0 messages to relying party applications.

From the Code Sample: ASP.NET MVC 4 with Federated Sign-out, implement an Action like this to sign out from ACS:

(Note that Windows Identity Foundation is now incorporated into .NET 4.5 Framework, that's why the new namespaces below)

using System.IdentityModel.Services;
using System.IdentityModel.Services.Configuration;

public ActionResult Logout()
{
    // Load Identity Configuration
    FederationConfiguration config = FederatedAuthentication.FederationConfiguration;

    // Get wtrealm from WsFederationConfiguation Section
    string wtrealm = config.WsFederationConfiguration.Realm;
    string wreply;

    // Construct wreply value from wtrealm (This will be the return URL to your app)
    if (wtrealm.Last().Equals('/'))
    {
        wreply = wtrealm + "Logout";
    }
    else
    {
        wreply = wtrealm + "/Logout";
    }

    // Read the ACS Ws-Federation endpoint from web.Config
    // something like "https://<your-namespace>.accesscontrol.windows.net/v2/wsfederation"
    string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"];

    SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint));

    signoutRequestMessage.Parameters.Add("wreply", wreply);
    signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);

    FederatedAuthentication.SessionAuthenticationModule.SignOut();

    string signoutUrl = signoutRequestMessage.WriteQueryString();

    return this.Redirect(signoutUrl);
}