Single Sign-Out in a passive federation scenario could be tricky, as there could be several RPs participating in the trust realm sign-in process. This recipe shows how to sign out from each of the participating RPs with a single click using the WS-Federation commands.
To process a sign-out request, perform the following steps:
- After clicking on the sign-out link, clear the federation cookie:
System.Web.HttpContext.Current.Response.Cookies.Remove(stateKey);
- Redirect the browser to the simulated issuer with a WS-Federation sign-out parameter as the action:
https://RelyingParty/SsoLogout.aspx?wa=wsignout1.0&wreply=...
Note
The WS-Federation command—
wa=wsignout1.0is used to sign out from the issuer. - Retrieve the list of RPs from the cookie and send the sign-out clean-up command to each of them:
https://RelyingParty1/SsoLogout.aspx?wa=wsignoutcleanup1.0, https://RelyingParty2/SsoLogout.aspx?wa= wsignoutcleanup1.0, https://RelyingParty3/SsoLogout.aspx?wa= wsignoutcleanup1.0
This allows all the relying parties to perform the sign-out operation.
The wsignout1.0 and wsignoutcleanup1.0 actions defined in the wa GET parameter are well understood by relying parties adhering to the WS-Federation Passive Requestor Profile. These actions allow a sign-out operation from all the RPs in the realm.
The Windows Identity Foundation runtime provides an HTTP module named WSFederationAuthenticationModule that provides out of the box support for the WS-Federation Passive Requestor Profile. We will explore this further in Chapter 3, Advanced Programming with Windows Identity Foundation.