none
Azure ACS federated signout in WS-federation

    Question

  • Hi,

     I am using ACS with a custom IDP using WS-federation.

    Authentication looks good, but logout is not. I get the same dead page.

    Now I am seeing an alternative...

    From the application, send request directly to the IDP in question for logout after removing fedAuth cookie. But this has 2 problems.

      a. The application has to know the IDP.

      b. What happens when multiple IDPs are involved.

     So I don't like this option much.

    But is there ANY OTHER.

    Are there any best practices we can leverage.

    I am actually surprised by some arguments that ACS can support it if the IDPs do. But when the request which goes to ACS from the application just has signout in action and the application's URL in wreply, how can ACS determine to which IDP the request must go to when multiple IDPs are in play.

    Thanks and Regards,

    Kanduri


    Thanks and Regards, Kanduri

    Friday, February 17, 2012 4:50 PM

Answers

  • ACS does not currently support federated signout directly. If you send a signout message to ACS, you'll only get a static page. The Home Realm Discovery feed (identityproviders.js) does expose logout URLs for identity providers that support it to allow you to sign out directly with those providers.
    • Marked as answer by Arwind - MSFT Friday, February 24, 2012 3:35 AM
    Friday, February 17, 2012 6:52 PM