Unable to sign out from Active Directory when using Azure ACS

5
votes

I am using ACS 2.0 in my MVC 4 application.

It is already configured for signing in, and it works for various providers including ADFS. I need to implement sign-out functionality.

As this question is already outdated, I used the code from these samples:

Here is how it looks like:

    // Load Identity Configuration 
    FederationConfiguration config = FederatedAuthentication.FederationConfiguration;

    // Get wtrealm from WsFederationConfiguation Section 
    string wtrealm = config.WsFederationConfiguration.Realm;
    string wreply = wtrealm; //return url

    // Read the ACS Ws-Federation endpoint from web.Config 
    string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"];

    SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint));

    signoutRequestMessage.Parameters.Add("wreply", wreply);
    signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);

    FederatedAuthentication.SessionAuthenticationModule.SignOut();

    var signoutUrl = signoutRequestMessage.WriteQueryString();

As a result, I get the sign-out URL where I should redirect, it will dispose the tokens and send me back. URL looks like following: 

https://myacsnamespace.accesscontrol.windows.net/v2/wsfederation?wa=wsignout1.0&wreply=http%3a%2f%2flocalhost%3a61192%2f&wtrealm=http%3a%2f%2flocalhost%3a61192%2f

As a result, it works as expected for Google, Yahoo, and Microsoft accounts. When I sign-out, and try to access the protected area, I get a list of identity providers, and I have to sign-in again, even if I choose the same provider.

But when I use ADFS provider, it works like that:

  • I click sign out and get to the page of available providers

  • I select ADFS provider again

  • I get to the protected area with my old AD credentials

  • If I have ADFS as the only provider, step 2 from above is skipped, and I keep being constantly sign-in without ability to change the user.

As I see what happens, the ACS does not dispose the security token it got from ADFS, and re-uses it.

Do you have any leads on how I can force ACS to dispose this token?

Thanks in advance!

1
azureasp.net-mvc-4single-sign-onacsadfs2.0
ACS never saves tokens in cookies in this scenario. The only cookies are at ADFS and at your RP. If you're on a domain-joined machine, I suspect that ADFS may be configured to log you in automatically. Can you confirm whether you originally had to use a username/password to log in, and whether you're auto-logged in when using a Private browser window?Oren Melzer
Oren, I do confirm that I had to log in for the first time - my machine is not in that domain. Same behavior on Private browser window. And I do suspect that a token between ADFS and RP is not disposed. If you are willing to help, let me know your twitter/fb/e-mail. I will send you the URL and AD account to take a look, and I can also share sources.Anton Vidishchev
UPDATE: Found you on Facebook and shared the credentials and URL. Let me know if you need the sources.Anton Vidishchev
This issue has nothing to do with cookies. Your problem is that your ADFS instance uses HTTP Basic auth. Most browsers will remember HTTP Basic credentials over the lifetime of a browser window. You should configure ADFS to use forms auth instead (where you log into a website rather than a pop-up window).Oren Melzer

1 Answers

0
votes

+1 for @oren-melzer's answer: browsers cache http basic credentials and automatically re-send them. Either move to forms auth (which uses cookies) or on logout, specifically deny the browser's auth header, constantly returning 401. Sometimes this "return 401 for valid credentials" works to clear the browser, sometimes you must simply require users to close the browser.