ARTICLE AD BOX
I have an ASP.NET Web Forms application using OWIN + WS-Federation against an ADFS 2016/2019 server. After signing out, ADFS always shows its own "Déconnexion / Vous vous êtes déconnecté." page instead of redirecting back to adfs login page — even though I am sending a valid wreply parameter in the signout request.
The ADFS signout URL in the browser looks like this (correct, no issues with encoding):
https://srvadfs.oc.gov.ma/adfs/ls/?wtrealm=https%3A%2F%2Ffdfp.oc.gov.ma%2FWorkflow &wa=wsignout1.0 &wreply=https%3A%2F%2Ffdfp.oc.gov.ma%2FWorkflow%2Flogin.aspxMy OWIN Startup.cs
using Microsoft.Owin.Security.Cookies; using Microsoft.Owin.Security.WsFederation; using Owin; using System.Configuration; [assembly: OwinStartup("WebAppStartup", typeof(WebApplication.Startup))] namespace WebApplication { public class Startup { public void Configuration(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType }); app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions { MetadataAddress = ConfigurationManager.AppSettings["AdfsMetadataAddress"], Wtrealm = ConfigurationManager.AppSettings["WtrealmAppUrl"], Wreply = ConfigurationManager.AppSettings["WreplyAppUrl"], SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType, Notifications = new WsFederationAuthenticationNotifications { RedirectToIdentityProvider = context => { if (context.ProtocolMessage.IsSignOutMessage) { context.ProtocolMessage.Wreply = ConfigurationManager.AppSettings["SignOutRedirectUrl"]; } return System.Threading.Tasks.Task.FromResult(0); } } }); } } }My Logout Button (code-behind)
protected void btnLogout_Click(object sender, EventArgs e) { Session.Clear(); Session.Abandon(); if (Request.Cookies != null) { foreach (string cookie in Request.Cookies.AllKeys) Response.Cookies[cookie].Expires = DateTime.Now.AddDays(-1); } var ctx = HttpContext.Current.GetOwinContext(); ctx.Authentication.SignOut( CookieAuthenticationDefaults.AuthenticationType, WsFederationAuthenticationDefaults.AuthenticationType ); }Web.config appSettings
<appSettings> <add key="SignOutRedirectUrl" value="https://fdfp.oc.gov.ma/Workflow/Login.aspx"/> <add key="AdfsMetadataAddress" value="https://srvadfs.oc.gov.ma/FederationMetadata/2007-06/FederationMetadata.xml"/> <add key="WtrealmAppUrl" value="https://fdfp.oc.gov.ma/Workflow/"/> <add key="WreplyAppUrl" value="https://fdfp.oc.gov.ma/Workflow/login.aspx"/> </appSettings>What I expect vs. what happens
Expected: After signout ADFS processes the wreply and redirects the browser to https://fdfp.oc.gov.ma/Workflow/login.aspx. in the login page where i made the login adfs challenge
Actual: ADFS shows its own built-in logout page ("Déconnexion — Vous vous êtes déconnecté.") and stays there. The wreply parameter is present in the URL but is completely ignored.
