Signout With SharePoint 2013 and SAML

Today’s topic is one for which I deserve zero credit, I’m just putting out info that one of our crack engineers, Chad Ray, managed to dig up.  I wanted to publish it here because I’ve worked with and talked to so many folks in the past who have struggled with getting a truly complete signout experience from SharePoint when using SAML authentication.  Chad was doing some digging and ran across a new property (in SharePoint 2013) on the SPTrustedIdentityTokenIssuer called ProviderSignOutUri.  As Chad explained to me, you just need to set it to the authentication endpoint of your IdP.  So for example, if you are using ADFS as your IdP and the ADFS host name is adfs.contoso.com, then the value you would set this property to is https://adfs.contoso.com/adfs/ls.

Not only will this log you out of your SAML session, it will also invalidate the fedauth cookie that you have locally so you really have to sign in again if you want to access content.  Kudos to Chad for finding this and sharing it.

One thought on “Signout With SharePoint 2013 and SAML

  1. I’ve implemented this and it works great. One caveat I haven’t been able to work around. If you’re session has expired and you make a request to signout, it processes the OOTB configuration where it signs you out and offers to close your browser window (without redirecting to the STS). I have not figured out a way around this yet.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s