Single Sign-Out in a passive federation scenario could be tricky, as there could be several RPs participating in the trust realm sign-in process. This recipe shows how to sign out from each of the participating RPs with a single click using the WS-Federation commands.
To process a sign-out request, perform the following steps:
System.Web.HttpContext.Current.Response.Cookies.Remove(stateKey);
https://RelyingParty/SsoLogout.aspx?wa=wsignout1.0&wreply=...
The WS-Federation command— wa=wsignout1.0
is used to sign out from the issuer.
https://RelyingParty1/SsoLogout.aspx?wa=wsignoutcleanup1.0, https://RelyingParty2/SsoLogout.aspx?wa= wsignoutcleanup1.0, https://RelyingParty3/SsoLogout.aspx?wa= wsignoutcleanup1.0
This allows all the relying parties to perform the sign-out operation.
The wsignout1.0
and wsignoutcleanup1.0
actions defined in the wa GET
parameter are well understood by relying parties adhering to the WS-Federation Passive Requestor Profile. These actions allow a sign-out operation from all the RPs in the realm.
The Windows Identity Foundation runtime provides an HTTP module named WSFederationAuthenticationModule
that provides out of the box support for the WS-Federation Passive Requestor Profile. We will explore this further in Chapter 3, Advanced Programming with Windows Identity Foundation.