WSFederationAuthenticationModule.GetSignOutRedirectUrl Method (SignOutCleanupRequestMessage)

.NET Framework (current version)

Determines the URL to which to redirect when processing a WS-Federation sign-out clean-up request (wsignoutcleanup1.0) that contains a wreply parameter.

Namespace:   System.IdentityModel.Services
Assembly:  System.IdentityModel.Services (in System.IdentityModel.Services.dll)

protected virtual string GetSignOutRedirectUrl(
	SignOutCleanupRequestMessage signOutMessage


Type: System.IdentityModel.Services.SignOutCleanupRequestMessage

The sign-out clean-up request.

Return Value

Type: System.String

The URL to redirect to.

Exception Condition

signOutMessage has a Reply property that is null or empty.


signOutMessage is null.

This method is called from the CanReadSignInResponse method in the request processing pipeline to determine the URL to redirect to after processing a WS-Federation sign-out clean-up request. It is only invoked if the message has a wreply parameter (the signOutMessage parameter has a Reply property that is neither null nor empty).

The default implementation validates the reply URL contained in the message (the SignOutCleanupRequestMessage.Reply property) against the address of the security token service (STS) that is specified by the Issuer property. The following conditions must be true for the reply URL to be valid:

  1. The reply URL is an absolute URL.

  2. The reply URL has the same scheme as the issuer.

  3. The reply URL has the same port as the issuer.

  4. Either the reply URL has the same host as the issuer or the reply URL specifies a sub-domain of the issuer.

If all of these conditions are true, the reply URL (Reply) is returned; otherwise, the URL specified by the Issuer property is returned.

Override this method to provide additional validation for the reply URL.

.NET Framework
Available since 4.5
Return to top