Site logout not quite working (with WS-Federation)?

[Infarinato]

Once again, it might me be doing something wrong in implementing your code, Ivan, so please take the following with a pinch of salt…

With WS-Federation, at least, it looks like logout isn’t quite working: it briefly redirects you to AD FS (presumably for AD FS logout) and back, but your claims data is still all there in the cookie / session store, so you are never really being logged out of the site.

We used to have a “similar yet opposite” problem, in that the cookie / session data was cleared locally, but we were still logged in with AD FS, so ultimately we were never being logged out, either.

We ended up having to do the following three things in succession:

1. Log out Sitecore virtual user;
2. OWIN logout with this.Request.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType) for local site logout;
3. but then also explicit redirect to the AD FS ?wa=signout… URL and back for full AD FS logout! 😅

Paolo

[IvanLieckens]

Hi Paolo,

Not to worry on this one, we've noticed similar issues on our implementation but I've been unable to spend time resolving these. Additionally the ws-fed part of the implementation is currently the weakest since the most important pieces on our end use the OpenIdConnect and OAuth implementations on the module.

Check out the doLogout pipeline processors since they will reveal what happens exactly and maybe there's a piece missing which can easily be added. When I get around to fixing the issues I'll review this bug if you've not beaten me to the punch :)

Sincerely, Ivan