If you are using Windows Azure AppFabric ACS to use Identity Providers (i.e. Google, Yahoo, Facebook, ADFS WLID, or any other Open ID Identity Provider), you might have the question about how to logout gracefully from your application, other than closing the browser? Also the sample on Windows Azure training kit only shows the logon part, not the logout.

 

To do clean Logout form your application you would want the following:

  • Clear the WIF issued authentication cookie
  • Redirect logged user to the logout page (e.g. ~/home/).

 

If you application is web application you can write the following code to perform clean logout:

 

 WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
FormsAuthentication.SignOut();
fam.SignOut(true);
// Write your code to Redirect to home page after Log Out

 

Above sample code snippet is the most common scenario for web applications with open ID based Identity provider.

 

Situation gets tricky when you are using federated Identity provider i.e. ADFS. If you are using federated Identity provider, using above code, the user not only logs out from web application but he/she also logs out from the identity provider federation.

 

Windows Identity Foundation (WIF) supports federated log out but ACS does not. ACS cannot implement the full federated logout because not all the ACS supported identity providers support this scenario. As far as I know, WS-Federation IDPs and Windows Live does support federated logout.

 

To do federated sign out, in the code sample above, instead of redirecting user to your logout page, you will need to redirect the user to the IDP’s “LogoutUrl”. The IDP’s “LogoutUrl” is part of the Home Realm Discovery (HRD) information and it is provided by ACS.

 

You can look to ACS with MVC3 sample to see how you can get HRD info from ACS:

 

To learn more about Login Page and Home Realm Discovery:

 

Thanks for Windows Azure ACS team to provide this information.