Vita1ij Vita1ij - 3 months ago 42
C# Question

How to force Federated signout redirect to login page?

I'm using WSFederationAuthentication module for authentication. I want this: after user press logout button, he signs out (delete all cookies) and redirect to login page.
I have this code for logout button:

var ls = new LoginStatus();
ls.LogoutAction = LogoutAction.Redirect;
ls.LogoutPageUrl = {some URL, where I have sign out code}


Signout part:

Microsoft.IdentityModel.Web.WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
String signoutURL = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(
authModule.Issuer,
{login Url},
null);

WSFederationAuthenticationModule.FederatedSignOut(
new Uri(signoutURL),
new Uri(authModule.Realm));


This code really do signout and delete cookies, but does not redirect to login page. Still, url, that users sees contains this part:
&wreply={loginUrl}

As I understand wreply parameter does not always is used.

Instead of using FederatedSignOut() method I tried this one:

System.Net.WebRequest req = System.Net.WebRequest.Create(signoutURL);
System.Net.WebResponse resp = req.GetResponse();
Redirect(LoginUrl);


But, this doesn't really do sign out. When user tries to log in next time, he doesn't need to enter any credentials and is signed in automatically. My guess, not all cookies are deleted.

So, there is my question, how can I do sign out and force redirect to login page?

P.S. I also delete FedAuth cookies by myself.

Answer

Seems to be, that redirect Url can be only Url, that is written in Idp config:

<passiveEndpoints>
<endpoint endpointType="WsFed" location="{this url}" binding="Post" />
</passiveEndpoints>

If wreply parameter value is any other url, it won't work.

Comments