Signout With SharePoint 2013 and SAML

Today's topic is one for which I deserve zero credit, I'm just putting out info that one of our crack engineers, Chad Ray, managed to dig up. I wanted to publish it here because I've worked with and talked to so many folks in the past who have struggled with getting a truly complete signout experience from SharePoint when using SAML authentication. Chad was doing some digging and ran across a new property (in SharePoint 2013) on the SPTrustedIdentityTokenIssuer called ProviderSignOutUri. As Chad explained to me, you just need to set it to the authentication endpoint of your IdP. So for example, if you are using ADFS as your IdP and the ADFS host name is adfs.contoso.com, then the value you would set this property to is https://adfs.contoso.com/adfs/ls.

Not only will this log you out of your SAML session, it will also invalidate the fedauth cookie that you have locally so you really have to sign in again if you want to access content. Kudos to Chad for finding this and sharing it.

Comments

• Anonymous
  February 24, 2015
  The URI that should be used is "https://adfs.contoso.com/adfs/ls/?wa=wsignout1.0" otherwise you will get an error message rather than "You have successfully signed out"
• Anonymous
  February 24, 2015
  Jon, this is true typically of any other application that talks to ADFS, but the URI as Steve wrote it is correct because SharePoint will append the required '?wa=wsignout1.0' to the URI you register. I initially thought the same when I found the property but when I tested it, the string referenced previously was double appended, and ADFS didn't particularly care for that.