Today I was experimenting with sign out using the SignInControl. And while a local sign out works great, I'm not having as much luck with a federated sign out. Setting FederatedPassiveSignOut='true' looks like it should contact the IP and request a signout, but that's not happening.

So I spelunked a bit with Reflector and found out how the federated signout URL is being discovered - it looks like it's supposed to be found somewhere in the session token, in the "context" property. But this property is an empty string when it's checked, and a quick look inside FederationAuthenticationModuleBase.AuthenticationCore() appears to reveal a code path that's always setting that session property to null.

So I'm a little confused. Is federated signout not yet implemented in Geneva Framework? Or (more likely) am I being dim and missing something obvious?

FWIW, Geneva Server is the issuer, so I was hoping the fed signout would route me to it's sign out URL...

Thanks!

Keith Brown
Pluralsight

---

Keith Brown, Pluralsight LLC (http://www.pluralsight.com/keith)

Hi Keith,

From what we've seen in our work regarding sign out and based on our discussions w/ Microsoft, we've come to the conclusion that sign out, as implemented in beta 1, still needs a bit of work. I wouldn't be surprised if the behavior that you're seeing isn't because your dim, but for other reasons related to the beta's implementation.

---

Regards,

Travis Spencer
http://travisspencer.com

Does anyone have a solution for this? In my webauth-handler.aspx I have the followingcode to try to force the signout, and it is hitting the code, but if I log back in with a different idafter logging out (but not closing the browser), I get the original claims. I'm using LiveID as my Auth Provider.

protected void Page_Load(object sender, EventArgs e)
        {
            HttpRequest req = HttpContext.Current.Request;
            HttpResponse res = HttpContext.Current.Response;

            // Extract the 'action' parameter from the request, if any.
            string action = req["action"];

            /*
              If action is 'logout', clear the login cookie and redirect
              to the logout page.

              If action is 'clearcookie', clear the login cookie and
              return a GIF as response to signify success.

              By default, try to process a login. If login was
              successful, cache the user token in a cookie and redirect
              to the site's main page.  If login failed, clear the cookie
              and redirect to the main page.
            */

            if (action == "logout")
            {
                FederatedAuthentication.SignOut(true);
                new SessionAuthenticationModule().SignOut(true);
                HttpCookie loginCookie = new HttpCookie(LoginCookie) {Expires = ExpireCookie};
                res.Cookies.Add(loginCookie);
                res.Redirect(LogoutPage);
                res.End();
            }
            else if (action == "clearcookie")
            {
                FederatedAuthentication.SignOut(true);
                new SessionAuthenticationModule().SignOut(true);

                HttpCookie loginCookie = new HttpCookie(LoginCookie) { Expires = ExpireCookie };
                res.Cookies.Add(loginCookie);

                string type;
                byte[] content;
                Wll.GetClearCookieResponse(out type, out content);
                res.ContentType = type;
                res.OutputStream.Write(content, 0, content.Length);

                res.End();
            }
            else
            {
                WindowsLiveLogin.User user = Wll.ProcessLogin(req.Form);

                HttpCookie loginCookie = new HttpCookie(LoginCookie);
                if (user != null)
                {
                    if (!string.IsNullOrEmpty(user.Context))
                        LoginPage = user.Context;

                    loginCookie.Value = user.Token;

                    if (user.UsePersistentCookie)
                    {
                        loginCookie.Expires = PersistCookie;
                    }

                    string realm = Request.Url.ToString().ToLower();
                    string issuer = ConfigurationManager.AppSettings.Get("AcsIssuer");

                    WSFederationAuthenticationModule authModule = new WSFederationAuthenticationModule
                                                                      {
                                                                          Realm = realm,
                                                                          Issuer = issuer};

                    const string homeRealmSts = @"http://login.live.com";
                    Regex re = new Regex(@"(http[s]?://[\w-]*\.cloudapp\.net):[0-9]*");
                    if (re.IsMatch(Request.Url.ToString()))
                        authModule.Reply = re.Replace(Request.Url.ToString(), "$1");
                    else
                        authModule.Reply = Request.Url.ToString();

                    String uniqueId = Guid.NewGuid().ToString();
                    SignInRequestMessage signInMsg = authModule.CreateSignInRequest(uniqueId, authModule.Realm, false);
                    if (!String.IsNullOrEmpty(homeRealmSts))
                    {
                        signInMsg.Parameters.Add("whr", homeRealmSts);
                    }

                    Response.Redirect(signInMsg.RequestUrl);                   
                }
                else
                {
                    loginCookie.Expires = ExpireCookie;
                }

                res.Cookies.Add(loginCookie);
                res.Redirect(LoginPage);
                res.End();
            }

Joe, I am running into the same issue during signout. If I try to login after a succesful logout, it automatically takes the original claims. This is what I am doing:

// clear all the current claims
if (Thread.CurrentPrincipal is IClaimsPrincipal)
{
ClaimsIdentityCollection claims = ((IClaimsPrincipal)Thread.CurrentPrincipal).Identities;
claims.Clear();
claims.Add(new ClaimsIdentity(new Claim(string.Empty, string.Empty)));
}

// destroy the current session
this.Session.Clear();
this.Session.Abandon();

if (this.Request.IsAuthenticated)
{
new WSFederationAuthenticationModule().SignOut();
}

// log out of live id
Response.Redirect("http://login.live.com/logout.srf");

Let me know if you know of any solution.

I don't actually have a solution for this at this time. Due to many reasons, we are ripping out our Geneva code starting this week and converting to a different (internally developed)security model. I really liked Geneva, and spent a lot of time learning it, but non-project related forces have intervened.

Good luck.

i found the same issue with beta2. However, the workaround is pretty simple, according to the spec: http://docs.oasis-open.org/wsfed/federation/v1.2/cd/ws-federation-1.2-spec-cd-02.doc(section 13.2.4.1). You just need to redirect to the STSwith wa=signout1.0 qs parameter after deleting the session token. So, something like this:

FederatedAuthentication.SessionAuthenticationModule.SignOut();

WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;

//authModule.SignOut();

// note: this is an ASP.NET MVC redirect. I believe you want to use Response.Redirect(url, true) with webforms
return Redirect(WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null));

So when should the following be used?

I am also facing the same situation (Beta2)with LiveID provider. Is there any workable method available for successful signing-out? Thank you.

---

Chandana N. Athauda - MVP
http://www.yeschandana.com