MVC AZURE WA AD Singout without ACS

StackOverflow https://stackoverflow.com/questions/23096275

Question

In my MVC web app, I was trying to use both internal authentication and Windows Azure Active Directory (Without ACS) as Identity providers.I could add this app to Azure applications so that users can be authenticated from azure.

I Was able to login using both Azure and local users without ACS.

My problem is that I am not able to logout Azure users from my web app. The local users get logged out by clicking logoff, but the problem is with the azure accounts. I have just used default simple MVC sample app to test these and made a few modification here and there but nothing major. 

        [HttpPost]
   // [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        Session.Clear();
        Session.Abandon(); 
        WebSecurity.Logout();
        FormsAuthentication.SignOut();
        return RedirectToAction("Login", "Account");
    }

This is the code I used to log off. I also faced an issue with forgery token in my view. Adding @Html.AntiForgeryToken() did not help me.

My actual Code was just -

      [HttpPost]
   // [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        WebSecurity.Logout();
        return RedirectToAction("Login", "Account");
    }

But based on a few suggestions I found in some blogs, I changed this to the former.

How do I logout/signout azure users ? Will I be able to delete any cookies that will help me in this cause?

When I click on Logoff, it returns the same page without actually logging me out. But when I use the internal accounts, the app lets me logout and returns to the login page.

I used VS2012 and used the Identity and Access tool to connect it to Azure AD, using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework).

thanks !

Was it helpful?

Solution

The answer depends on what protocol and identity middleware/framework you're using to sign in to Azure AD. If you built your app in VS2012 and used the Identity and Access tool to connect it to Azure AD, you're probably using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework). The same applies if you're using VS2013 and clicked the "Change Authentication" button when creating a new web application, then signed in to your Azure AD directory. For these scenarios, you should know that WIF uses HTTP modules to handle WS-Fed and session management, and you need to interact with the session module to end a user's session and sign them out. To just sign the user out from the application (which clears their federated auth cookie), you need to invoke the SignOut() method on the session module like shown:

FederatedAuthentication.SessionAuthenticationModule.SignOut();

If you want single sign-out, which signs the user out of all the applications they're currently signed into with Azure AD, WS-Federation has its own sign out flow that involves sending a specific sign-out message back to Azure AD to let it know that the user has signed out. See this topic for more info and scroll down to the section about sign out.

If you are using VS2013 and OWIN authentication middleware, you just need to get the current OWIN context's authentication "manager" and call its SignOut() method, something like shown:

HttpContext.GetOwinContext().Authentication.SignOut()

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top