how to logout from oauth2.0 authentication of windows azure active directory authentication

Question

We are using auth2.0 for windows azure active directory authentication where authentication is performed on https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=...... and after successful authentication we are redirecting to our site. for logout the site we delete all the cookies generated on our site and redirect to the login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=....... url again but at this time we are not getting any login credentials screen and redirected to our site with access token. What process is required to logout. because if we delete all cookies or close the browser and reopen the site works and redirecting us to login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=........ url.

we are using following code for logout process

    [NoCacheAttribute]
    public ActionResult LogOut()
    {
   UserCookieWrapper.delete_UserCookieWrapper();
     //This function delete all the datamemeber of the UserCookieWrapper class                             

     string[] theCookies =   
    System.IO.Directory.GetFiles(Environment.GetFolderPath(
    Environment.SpecialFolder.Cookies));
        foreach(string currentFile in theCookies)
        {
           try
           {
              System.IO.File.Delete(currentFile);
           }
           catch(Exception objEx) { }

        }                    
        Response.Clear();
       return RedirectToAction("Index", "Login"); 
       }

Answer 1

Clearing cookies you've created will not help you, since the user is still signed-in with the Azure AD. This is howo Web-SSO (Single-Sign-On) works. Regardless of the protocol you use to authenticate with Azure AD, you still need to implement the Sign Out properly - a federated Sign Out! This is the case with any web-sso provider you will find on the internet - Google, Facebook, LinkedIn, Twitter, you name it.

What you do is just signing user out of your Application, not from the identity provider. Once your application redirects the user to the selected identity provider (in your case AAD), if the user has an active session with it, one will not see login screen!

In order to properly implement federated sign-out, you have to read through the Implementing SSO with Azure Active Directory. You can fast forward to the "Implementing Sign Out Controller" step. Which will show a code like this:

public void SignOut()
{
     WsFederationConfiguration fc = 
            FederatedAuthentication.FederationConfiguration.WsFederationConfiguration;

     string request = System.Web.HttpContext.Current.Request.Url.ToString();
     string wreply = request.Substring(0, request.Length - 7);

     SignOutRequestMessage soMessage = 
                     new SignOutRequestMessage(new Uri(fc.Issuer), wreply);
     soMessage.SetParameter("wtrealm", fc.Realm);

     FederatedAuthentication.SessionAuthenticationModule.SignOut();
     Response.Redirect(soMessage.WriteQueryString());
} 

Please read through the entire section (better the entire article) to understand what the code does and why you have to go this way.