2

I have scenario where we use Thinktecture Identity Server (IdSrv) as both an R-STS and a IP-STS, as well as a O365 / WAAD tentant as an additional IP-STS. The user choose which Identity Provider to use via the Home Realm Discovery functionality in IdSrv.

Now, implementing a unified WS-Federation wsignout from the RP, is difficult, since I can't get the signout process to work properly against WAAD (Against the Thinktecture IP-STS it works fine);

Sorry, but we're having trouble signing you out. We received a bad sign-out request. If you wish to sign-out, please click the following link.

ACS20028: The requested redirection URL is invalid.

Well, the wreply URL parameter points to the RP, which the WAAD instance has no knowledge of.

If I try to follow the Sign-Out link, I get Sorry, but we're having trouble signing you out. We received a bad request.

ACS20026: The wtrealm parameter is missing or incorrect.

I've tried to modify the URL directly so that its wreply points to the IdSrv (which really is an RP of the WAAD), but I can't get it to work.

Has anyone gotten this to work?

rene
  • 41,474
  • 78
  • 114
  • 152
larsw
  • 3,790
  • 2
  • 25
  • 37
  • Can you post your RP signout code? – Nathan Jan 25 '14 at 02:07
  • WAAD sign-out does not work with multi-domain scenario for me as well. It looks like WAAD checks that `wreply` is one of the configured reply URLs. Obviously the check does not work correctly for sign-out, allowing only the first (or last) Reply URL, disallowing the rest with ASC20028 error. – ogggre Mar 24 '14 at 23:09

0 Answers0