WS-Federation signout issue

[unipeg]

Hi

I have a setup where I use IdentityServer [IdSvr] as IdP, AuthorizationServer [AS] as STS and on top, I have a SinglePageApp. IdSvr and AS are speaking together over the ws-federation protocol.

I'm having a little issue when I want the user to log out of my application. I want to delete the persistent cookies both on the IdP and the STS, and then return to my application and I've constructed a link like this:

/IdSvr/issue/wsfed?wa=wsignout1.0&wtrealm=[my-realm]&wreply=[AS-base-url]/?wa=wsignoutcleanup1.0&wreply=[application-base-url] a) the client goes to IdSvr to do a wsignout b) the client is redirected to AS to do wsignoutcleanup1.0 c) the client is redirected back to the original application I get stuck at step a) where IdSvr returns a 302 redirecting me to IdSvr's account/signin-url asking the user to log on to IdSvr. Am I doing the ws-fed signout complete wrong? In another environment, where another IdP is used, the stated flow does work, though. Hope you can help me on this.

[leastprivilege]

progress?

[unipeg]

Unfortunately, no. This is still an issue.

[leastprivilege]

The behavior is weird - can you verify that you are sending the idsrv authentication cookie to the /wsfed controller when signing out?

[unipeg]

I'll look into this. But I take it my flow is okay?

[leastprivilege]

The flow is that you send the logout message to the idp - yes. Also check the ws-fed spec

[leastprivilege]

is it working?

[unipeg]

It works now! My problem was that I needed to url encode the whole signout-endpoint, from the first wreply. Also, I needed to check "remember me", so that the persistent cookie was delivered to the signout endpoint also.

All is well now.