Federated Authentication Single Sign Out

By default when you sign out of Sitecore, you don’t get signed out of your Federated Authentication Provider (Tested against Sitecore 9.0). So if after you sign out, you try to sign in again, your Federated Authentication Provider still recognises you and doesn’t challenge you to sign back in again, and lets you into the system.

So have you really signed out, if you haven’t signed out of the Federated Authentication provider as well? IMHO - no.

What’s the behaviour of other services using Federated Authentication?

If you log out of Microsoft Office 365, it also logs you out of Azure AD.

If you log out of Azure Portal, it also logs you out of Azure AD.

Also note, on the Azure AD sign out page, it also signs you out of Office 365, if you are signing out from another system. (That’s going even further, to an even more true single sign out where sign out of every system at once, but the sign out page has to know about all of the systems to sign you out of, beyond the scope of this post)

So can see it’s pretty standard behaviour when you sign out of a system, to also sign you out of the Federated Authentication provider as well.

So how do you configure Sitecore to sign out of a Federated Authentication provider as well as Sitecore?

Pipelines/Processor + Reflector = Win!

For the LaunchPad using Speak

Starting with the Sitecore Launch pad.

The “Log out” button has some JS that fires “-/speak/v1/business/AccountInformation.js”. Which does an AJAX POST request to “/sitecore/shell/api/sitecore/Authentication/Logout?sc_database=master”. It then tries to parse the JSON result, and read the “Redirect” value. And then redirects the user client side to the specified url.

Serverside this “AuthenticationController” can be found in “Sitecore.Speak.Client.dll” “Sitecore.Controllers.AuthenticationController” “Logout” HttpPost method.

This in turn calls “Sitecore.Shell.Security().Logout” passing in an “Action”, to capture the RedirectUrl for the JSON result.

“Sitecore.Shell.Security().Logout” calls a pipeline “speak.logout”. This pipeline takes an argument of type “LogoutArgs”. “LogoutArgs” has a property “RedirectUrl” of type “UrlString”.

“RedirectUrl” is initialised before the pipeline “speak.logout” is called with “Context.Site.LoginPage”. And after the pipleline is called, the “RedirectUrl” value is used to send the client to the specified page.

For the Content Editor

The content editor on the other hand the “Log out” button calls onclick “scForm.postEvent(this, event, ‘system.logout’)”.

This triggers the processor “logout”. This also takes the same argument of type “LogoutArgs”, as the “speak.logout” pipeline.

If the “LogoutArgs” “RedirectUrl” property has not been set, it triggers a server side redirect to the “Client.Site.LoginPage”. See “Sitecore.Kernel.dll”, “Sitecore.Pipelines.Logout.GotoLogin.Process” method.

Pipeline

So to override the behaviour of logout going to the Sitecore login page. Adding a pipeline to “Speak.Logout” to set the “RedirectUrl”.

And adding a processor to “logout” before the processor “Sitecore.Pipelines.Logout.GotoLogin, Sitecore.Kernel”, to set the “RedirectUrl”.

We can control where users are redirected to on logout.

Federated Authentication Provider settings not used

Interestingly when configuring a Federated Authentication provider, you specify on the “OpenIdConnectAuthenticationOptions” class the “PostLogoutRedirectUri”, but this isn’t used. Still we can reuse this configuration setting in our pipeline.

Example settings to change RedirectUrl to

If you are using Azure AD, you can set the “RedirectUrl” to something like “https://login.microsoft.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2fsitecore.local%2Fsitecore%2Flogin"

So it will log you out of Azure AD, then redirect you back to “https://sitecore.local/sitecore/login"

Obviously change the “post_logout_redirect_uri” parameter to match your environment.

Summary

With a few extra pipelines, and with the help of reflector, can achieve single sign out with Sitecore.

Additional Notes

I’ve only tried this with Sitecore 9.0, and not with the new Sitecore Identity Server.