How do I prevent MS WS-Federations Identity Providers from auto-logging my users back in?

Question

Right now my application uses WS_Federated login, and wit works just fine, but when I log out, it will automatically log me back in when I click on the login link.

I have verified that User.Identity.IsAuthenticated == false; once the user is logged out, so that is working. I use this for logout:

WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

// SignOut from both Authentications
try
{
    Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.SignOut();
    FormsAuthentication.SignOut();
}
finally
{
    fam.SignOut(true);
}

But he problem is, when I get the link to log back in, it sends the information which automatically logs me in. It basically seems like the user is not logged out. The string that logs me in is here:

http://someAppId.cloudapp.net/?wa=wsignin1.0&wtrealm=https%3a%2f%2blablabla.accesscontrol.windows.net%2f&wreply=https%3a%2f%blablabla.accesscontrol.windows.net%2fv2%2fwsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmYxMjcuMC4wLjElM2E4MSUyZg2

It doesn't appear that any cookies are being kept, so it is being passed via the url. What part can I take out/modify to avoid the logging in? Is there a better way to do this? Please let me know if this is unclear in any way.

Answer 1

When you're using an idp that does iwa as a pre-auth token and ws-fed or saml as a post auth token then make sure you direct your logout to a different page else the user will be automatically logged in again.