I am using ACS with a custom IDP using WS-federation.
Authentication looks good, but logout is not. I get the same dead page.
Now I am seeing an alternative...
From the application, send request directly to the IDP in question for logout after removing fedAuth cookie. But this has 2 problems.
a. The application has to know the IDP.
b. What happens when multiple IDPs are involved.
So I don't like this option much.
But is there ANY OTHER.
Are there any best practices we can leverage.
I am actually surprised by some arguments that ACS can support it if the IDPs do. But when the request which goes to ACS from the application just has signout in action and the application's URL in wreply, how can ACS determine to which IDP the request must
go to when multiple IDPs are in play.
ACS does not currently support federated signout directly. If you send a signout message to ACS, you'll only get a static page. The Home Realm Discovery feed (identityproviders.js) does expose logout URLs for identity providers that support it to allow
you to sign out directly with those providers.
Marked as answer byArwind - MSFTFriday, February 24, 2012 3:35 AM
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.