3

Rule #6 of the Facebook developer policy says I must provide an explicit Log out link, but I'm unable to make it work.

My goal is to either sign my application out of Facebook, the user from the entire Facebook experience environment, or both. So far, I can't do any of these.

This may be complicated by the fact I'm using Azure ACS and am not using the typical FB APIs. Things I've tried include:

Attempt 1: Facebook OAuth Logout

 "http://www.facebook.com/logout.php?api_key={0}&;session_key={1}";
 // I don't know how to get the session key.  I attempted the values stored in 
 // the claim  "http://www.facebook.com/claims/AccessToken" but no luck

Attempt 2: ACS logout (undocumented?)

https://tlsadmin.accesscontrol.windows.net/v2/wsfederation?wa=wsignoutcleanup1.0

Neither of these approaches allow an alternate Facebook user to sign in. Any links would be appreciated.

Simplified Question

How do I get *.accescontrol.windows.net to redirect back to my website?

Community
  • 1
  • 1
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
  • Seems like a `GET` to /Logout no longer works... http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/f92e24bc-e685-4709-9e5e-7b203efef44b – makerofthings7 May 31 '12 at 20:05

3 Answers3

2

The December 2012 update of ACS includes support for federated single sign-out:

Using the WS-Federation protocol. Web applications that use ACS to enable single sign-on (SSO) with identity providers using the WS-Federation protocol can now take advantage of single sign out capabilities. When a user signs out of a web application, ACS can automatically sign the user out of the identity provider and out of other relying party applications that use the same identity provider.

This feature is enable for WS-Federation identity providers, including Active Directory Federation Services 2.0 and Windows Live ID (Microsoft account). To enable single sign out, ACS performs the following tasks for WS-Federation protocol endpoints:

  • ACS recognizes wsignoutcleanup1.0 messages from identity providers and responds by sending wsignoutcleanup1.0 messages to relying party applications.

  • ACS recognizes wsignout1.0 and wreply messages from relying party applications and responds by sending wsignout1.0 messages to identity providers and wsignoutcleanup1.0 messages to relying party applications.

From the Code Sample: ASP.NET MVC 4 with Federated Sign-out, implement an Action like the following to sign out from ACS:

(Note that Windows Identity Foundation is now incorporated into .NET 4.5 Framework, that's why the new namespaces below)

using System.IdentityModel.Services;
using System.IdentityModel.Services.Configuration;

public ActionResult Logout()
{
    // Load Identity Configuration
    FederationConfiguration config = FederatedAuthentication.FederationConfiguration;

    // Get wtrealm from WsFederationConfiguation Section
    string wtrealm = config.WsFederationConfiguration.Realm;
    string wreply;

    // Construct wreply value from wtrealm (This will be the return URL to your app)
    if (wtrealm.Last().Equals('/'))
    {
        wreply = wtrealm + "Logout";
    }
    else
    {
        wreply = wtrealm + "/Logout";
    }

    // Read the ACS Ws-Federation endpoint from web.Config
    // something like "https://<your-namespace>.accesscontrol.windows.net/v2/wsfederation"
    string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"];

    SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint));

    signoutRequestMessage.Parameters.Add("wreply", wreply);
    signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);

    FederatedAuthentication.SessionAuthenticationModule.SignOut();

    string signoutUrl = signoutRequestMessage.WriteQueryString();

    return this.Redirect(signoutUrl);
}
Luciano Carvalho
  • 1,739
  • 15
  • 15
0

As this post suggests: Azure AppFabric Access Control Service Log Off, you can create a custom log out button, and simply call the ederatedAuthentication.WSFederationAuthenticationModule.SignOut method on the click of the button. ACS then should handle the log out process for you.

Community
  • 1
  • 1
LewisBenge
  • 2,706
  • 16
  • 20
  • That code expires the FAM cookie, but doesn't perform a redirect to the providers... well at least not in my setup which is based on the sample MVC local forms sign-in – makerofthings7 Oct 06 '11 at 06:27
0

Generally speaking there are two or three steps to federated sign out - locally you need to remove the forms auth cookie if one was used as well as the FIM cookie, this will sign out from the local application.

You then need to issue wasignoutcleanup10 request to the STS used, which would sign you out from the STS itself and, in theory, shoud issue a wasignoutcleanup1.0 request (or equivalent) to all the other IPs that were involved in the process (the STS should keep track of which IPs were contacted for each request)

I built such scenario once using Windows Identity Foundation which has the components needed, but it did require some development to keep track of the all the IPs and issue the calls.

I suspect that the ACS currently does not support this behaviour meaning that a user will have to close the browser to fully sign-out from all the applications.

Yossi Dahan
  • 5,389
  • 2
  • 28
  • 50