使用自定义STS从访问控制服务注销 [英] Logout from access control service with custom STS

问题描述

我正在使用带有自定义STS的Windows Azure访问控制服务.我可以通过ACS登录到我的应用程序，但是我无法使用注销功能.我已经在我的应用程序中尝试过此代码.

I'm using Windows azure access control service with custom STS. I can login to my application through ACS, but I have trouble with logout function. I've tried this code in my application.

        WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

        try
        {
            FormsAuthentication.SignOut();
        }
        finally
        {
            fam.SignOut(true);
        }
        Page.Response.Redirect("default.aspx");

但是，它似乎是从ACS注销用户的，而不是从自定义STS注销的.我应该怎么做才能从STS注销.应用(RP)，ACS或STS可能在哪里出现问题?

But it seems that it logout the user from ACS but not from the custom STS. What should I do to logout from STS. Where could be the problem in the appliacation (RP), ACS or in STS?

我认为ACS应该要求自定义STS登出用户，但似乎并没有这样做.我想念的是什么?

I think that ACS should ask custom STS to logout the user, but it seems it doesnt do that. What I am missing?

推荐答案

我创建了一个用于执行FederatedSignout的辅助方法，并在代码中添加了我沿途(hth)发现的内容的注释

I have created a helper method for doing FederatedSignout, with comments in the code for what I discovered along the way (hth)

public static void FederatedSignOut(string reply = null)
{
   WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

   // Native FederatedSignOut doesn't seem to have a way for finding/registering realm for singout, get it from the FAM
   string wrealm = string.Format("wtrealm={0}", fam.Realm);

   // Create basic url for signout (wreply is set by native FederatedSignOut)
   string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(fam.Issuer, null, wrealm);

   // Check where to return, if not set ACS will use Reply address configured for the RP
   string wreply = !string.IsNullOrEmpty(reply) ? reply : (!string.IsNullOrEmpty(fam.Reply) ? fam.Reply : null);

   WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), !string.IsNullOrEmpty(wreply) ? new Uri(wreply) : null);

   // Remarks! Native FederatedSignout has an option for setting signOutUrl to null, even if the documentation tells otherwise.
   // If set to null the method will search for signoutUrl in Session token, but I couldn't find any information about how to set this. Found some Sharepoint code that use this
   // Michele Leroux Bustamante had a code example (from 2010) that also uses this form.
   // Other examples creates the signout url manually and calls redirect.

   // FAM has support for wsignoutcleanup1.0 right out of the box, there is no need for code to handle this.
   // That makes it even harder to understand why there are no complete FederatedSignOut method in FAM

   // When using native FederatedSignOut() no events for signout will be called, if you need this use the FAM SignOut methods instead.
}

此代码在我们为使用ACS的Web SSO创建的标准RP库中使用.

This code is used in a standard RP library we created for Web SSO with ACS.

这篇关于使用自定义STS从访问控制服务注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！