Home/ Questions/Q 7705401
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T23:51:26+00:00

Single sign on appears to work properly for my application and a number of

  • 0

Single sign on appears to work properly for my application and a number of other web sites that share an STS. When I log out of my application, I appear to be correctly logged out of my site; however, I can still access other applications that use the same STS, without having to log in, again. Can anyone tell me what I am missing?

My application calls everything under the sun, in an attempt to get this to work, but the behavior is the same when I only call FederatedSignOut.

FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
System.Web.Security.FormsAuthentication.SignOut();
WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authModule.Issuer), new Uri(authModule.Realm));

Here is my STS logout code.

SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest(requestMessage, User, requestMessage.Reply, Response);

Is this a problem with the STS, or with my application? Is it possible that this is a configuration issue if the logout is at least working for my application? Do I have to explicitely send a “wsignoutcleanup1.0” message to all of the RP’s, or should ProcessSignOutRequest be doing that for me?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As you probably guessed, both the STS and your application create their own session cookie, and they can’t touch each other’s cookies, which is why you need the wsignoutcleanup1.0 message.

    On your application side, only the call to FederatedSignOut() is necessary. It will delete your application session cookie for you before it redirets to the STS, so everything else you have there is redundant.

    Now however it’s up to your STS to properly receive and handle the incoming wsignoutcleanup1.0 request at some signout endpoint. It sounds like yours isn’t. I would first confirm that this STS code of yours is actually being hit. If it is being hit, but the STS session cookie remains, then something else is wrong.

    • 0