By default when you sign out of Sitecore, you don’t get signed out of your Federated Authentication Provider (Tested against Sitecore 9.0). So if after you sign out, you try to sign in again, your Federated Authentication Provider still recognises you and doesn’t challenge you to sign back in again, and lets you into the system.
So have you really signed out, if you haven’t signed out of the Federated Authentication provider as well? IMHO - no.
If you log out of Microsoft Office 365, it also logs you out of Azure AD.
If you log out of Azure Portal, it also logs you out of Azure AD.
Also note, on the Azure AD sign out page, it also signs you out of Office 365, if you are signing out from another system. (That’s going even further, to an even more true single sign out where sign out of every system at once, but the sign out page has to know about all of the systems to sign you out of, beyond the scope of this post)
So can see it’s pretty standard behaviour when you sign out of a system, to also sign you out of the Federated Authentication provider as well.
Pipelines/Processor + Reflector = Win!
Starting with the Sitecore Launch pad.
The “Log out” button has some JS that fires “-/speak/v1/business/AccountInformation.js”. Which does an AJAX POST request to “/sitecore/shell/api/sitecore/Authentication/Logout?sc_database=master”. It then tries to parse the JSON result, and read the “Redirect” value. And then redirects the user client side to the specified url.
Serverside this “AuthenticationController” can be found in “Sitecore.Speak.Client.dll” “Sitecore.Controllers.AuthenticationController” “Logout” HttpPost method.
This in turn calls “Sitecore.Shell.Security().Logout” passing in an “Action
“Sitecore.Shell.Security().Logout” calls a pipeline “speak.logout”. This pipeline takes an argument of type “LogoutArgs”. “LogoutArgs” has a property “RedirectUrl” of type “UrlString”.
“RedirectUrl” is initialised before the pipeline “speak.logout” is called with “Context.Site.LoginPage”. And after the pipleline is called, the “RedirectUrl” value is used to send the client to the specified page.
The content editor on the other hand the “Log out” button calls onclick “scForm.postEvent(this, event, ‘system.logout’)”.
This triggers the processor “logout”. This also takes the same argument of type “LogoutArgs”, as the “speak.logout” pipeline.
If the “LogoutArgs” “RedirectUrl” property has not been set, it triggers a server side redirect to the “Client.Site.LoginPage”. See “Sitecore.Kernel.dll”, “Sitecore.Pipelines.Logout.GotoLogin.Process” method.
So to override the behaviour of logout going to the Sitecore login page. Adding a pipeline to “Speak.Logout” to set the “RedirectUrl”.
And adding a processor to “logout” before the processor “Sitecore.Pipelines.Logout.GotoLogin, Sitecore.Kernel”, to set the “RedirectUrl”.
We can control where users are redirected to on logout.
Interestingly when configuring a Federated Authentication provider, you specify on the “OpenIdConnectAuthenticationOptions” class the “PostLogoutRedirectUri”, but this isn’t used. Still we can reuse this configuration setting in our pipeline.
If you are using Azure AD, you can set the “RedirectUrl” to something like “https://login.microsoft.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2fsitecore.local%2Fsitecore%2Flogin"
So it will log you out of Azure AD, then redirect you back to “https://sitecore.local/sitecore/login"
Obviously change the “post_logout_redirect_uri” parameter to match your environment.
With a few extra pipelines, and with the help of reflector, can achieve single sign out with Sitecore.
I’ve only tried this with Sitecore 9.0, and not with the new Sitecore Identity Server.