Logout of O365/Shib/CAS

Benjamin Cherian benjamin.cherian at villanova.edu
Wed May 6 08:09:37 EDT 2015

I think we have an approach that we are going to try, but it may be some time down the road before we test it out (due to project timelines). With only the default ADFS IdP available, if I login to O365 and then manually go to the ADFS logout URL, I appear to be logged out of ADFS as well as the O365 portal. The login page still has a cookie with my username, and asks me if I want to login as that user, but if I click on that, i'm logged out. I'm not completely familiar with the ADFS side, but I've seen the ADFS admin work with the various dialogs.

Here is my proposed, yet untested solution

  *   Set the logout url to be https://<ADFS-SERVER-DOMAIN>/adfs/ls/?nossl=1&wreply=<CAS-LOGOUT-URL>&wa=wsignout1.0&lc=1033
  *   Update the onload.js file in ADFS, and add JS so that if the query param wreply equals the CAS logout URL, and wa equals wsignout1.0, then redirect to the CAS logout URL

Again, it will probably be a while before we are able to test this in our dev environment. Maybe some other ADFS3/Shib users can chime in if they think this will work.

From: users [users-bounces at shibboleth.net] on behalf of Michael A Grady [mgrady at unicon.net]
Sent: Tuesday, May 05, 2015 12:08 AM
To: Shib Users
Subject: Re: Logout of O365/Shib/CAS

On May 4, 2015, at 10:37 PM, Michael A Grady <mgrady at unicon.net<mailto:mgrady at unicon.net>> wrote:

But if you set the logout URL to go to the CAS logout, and then have that redirect the user back to a URL you create on the ADFS Server, you could probably get what you want. Install IIS, and have a simple .Net app that just clears any and all cookies for the ADFS service. (Windows can co-exist ADFS and IIS's use of :443 on the same IP Address.) Redirect to that after the CAS logout. Not elegant, but seems a better option than messing with the dlls.

That's assuming you don't need to be able to read those cookies to find their names, because ADFS is scoping its cookies to /adfs, and you likely can't get your own script to be on that path. I can't find a definitive reference on what all the cookie names are, and the meaning of each, but one can at least see what they are thru live headers and looking at the cookies in your browser.

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150506/1b5ac0f8/attachment.html>

More information about the users mailing list