Wednesday, 29 August 2012

Adding Sign-out functionality in the application configured with ACS

In last post we had seen how to include the Login page in to our application and re-direct the same instead of the browser re-directing to the ACS login page. This provides us to customize the login page for our needs and can include those options with other page as well without showing a separate page.

As per the last example, there is no sign-out functionality included in that page. As of now to clear the application session, we required to close the browser.

As continuation of that post, this post talks about the sign-out functionality in the application. I am taking the example source code completed in the last post – which has required configured for authenticating the application using ACS.

Below are the steps for implementing sign-out in application.

Adding Sign out in the Application

Step 1: Open the Site.Master script source and add a logout event for HeadLoginStatus control.
[ <asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="Redirect" LogoutText="Log Out" LogoutPageUrl="~/" OnLoggingOut="HeadLoginStatusLogout"/> ]
Step 2: Add the code behind for that event.
protected void HeadLoginStatusLogout(object sernder, EventArgs e)
{
    WSFederationAuthenticationModule federationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule; 
    FormsAuthentication.SignOut();
    federationAuthenticationModule.SignOut(true);
}
As there is no re-direct statement to any particular page, once the sign out process completed the application will re-direct to the start up page i.e., Default.aspx. But the Default.aspx page is not allowed to view without proper authentication. So the browser will re-direct the login page again (If there is no custom login page included, the browser re-direct to the ACS login page).

Now, we will add a logout page in the application.

Adding Logout page

Step 3: Add a new page (Logout.aspx) in the application and add the below script.
<div>
    You are logged out successfully!!!
    < br / >< br / >
    <a href="Login.aspx">Login Again</a>  
</div>
Change the HeadLoginStatusLogout event by adding re-direct statement.
protected void HeadLoginStatusLogout(object sernder, EventArgs e)
{
    WSFederationAuthenticationModule federationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule; 
    FormsAuthentication.SignOut();
    federationAuthenticationModule.SignOut(true);
    Response.Redirect("Logout.aspx");
}
Here I am re-directing to the the custom login page included in the project. If there is no login page in the project, you can re-direct to the Default.aspx (which has no rights to view the page without authentication) which will automatically re-direct to the ACS login page.

Step 4: The Logout.aspx page required to show without any authentication. So, open the Web.Config file and add the below configuration in the same scope as system.web node.
<location path="Logout.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>
When signing out, the application re-direct to the Logout.aspx page. If the users required, they can login to the application again.

Making public visible pages

I wish to change this example in little bit more.. The application required to show some of the pages without any authentication process (For Ex: Default.as) and some pages only after authentication. If the users required, they can login to the application using ACS and If successful the application should show additional pages.

This functionality is useful when an application is targeted to the public audience. When administrator users want to do some activities on administrative pages, they can login to the application and gets pages dedicated to the administrator. To achieve this functionality, I am taking Default.aspx page to show without authentication and About.aspx page to show only with authentication.

Step 5: As the Default.aspx required to show without authentication, add that page also to the location node allowing anonymous users.
<location path="Default.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

Now when runing the application, it will show Default.aspx page by default without any authentication. When clicking the About menu, the application redirect to the Login.aspx page for authentication. Once the authentication successful, the application shows both About.aspx and Default.aspx.

The final Web.Config will look as below.

download the working example of the source code here.

0 Responses to “Adding Sign-out functionality in the application configured with ACS”

Post a Comment