Support redirection after sign out; Support WREPLY parameter needed for ADFS and Facebook
Currently, wreply is not supported. When an ADFSv2 user signs out they get a dead end page like this:
The wreply parameter is an industry standard and should be implemented:
The second ( related )issue I’m having is that I’m trying to deauth ADFS and Facebook. I need to use the wreply parameter to redirect the user off the ACS host, and back on some “normal” user page.
You might ask why am I redirecting to the ACS? It’s because Facebook is requiring me to. And since the Facebook TOS requires me to implement sign out features (that actually log someone out of facebook, not just my RP) then I have to redirect them to the ACS signout page.
The issue is that the user experience is horrible. They dead end at a page that tells them to close the browser windows. This is a no-go for me since my application is used in Kiosks where it’s not possible to close the browser window, or navigate using the url. Plus it’s bad design.
WREPLY is supported today for both Facebook and ADFS when sign-out is initiated from the replying party application. Certain limitations prevent us from supporting IDP initiated sign-out when the IDP is a social IDP like Facebook (MSA, Google and Yahoo are in this bucket too, basically these IDPs don’t send ACS a wssignoutcleanup1.0 and we cannot complete sign-out by fanning out wssignoutcleanup1.0 to the RPs involved). IDP initiated sign-out where IDP is ADFS is supported today, see “Identity Provider Initiates Sign-Out” section of the sign-out documentation that describes the referrer check involved to make this possible. You can find more details for sign-out support here: http://msdn.microsoft.com/en-us/library/dn223670.aspx.