I have implemented ADFS login in both CMS and manager startup.cs method (this is shortened for simplicity)
public void Configuration(IAppBuilder app)
using (var applicationOptions = new ApplicationOptions
ConnectionStringName = _connectionStringHandler.Commerce.Name
// client specific code here
app.Map(url, map => map.Run(ctx =>
if (ctx.Authentication.User?.Identity == null || !ctx.Authentication.User.Identity.IsAuthenticated)
var redirectTo = new Uri(postLoginRedirectUri).AbsoluteUri;
return Task.Run(() => ctx.Response.Redirect(redirectTo));
app.Map(logoutUrl, map =>
return Task.Run(() => ctx.Response.Redirect(new Uri(postLogoutRedirectUri).AbsoluteUri));
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
Logging into CMS part ensures that user is logged into manager part as well.Logging out from the manager part using the top left Sign out link results in error with the following message:
"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'server_error'. Error_Description (may be empty): 'MSIS9604%3a+An+error+occurred.+The+authorization+server+was+not+able+to+fulfill+the+request.'. Error_Uri (may be empty): ''."
I have put /Apps/Shell/Pages/Logout.aspx as logout endpoint but I see now that it is just a resulting page after logging out. Sign out link has # as a value for href attribute.
I couldn't figure out what URL should be provided to the IT team that is responsible for setting up the ADFS to function properly.
Anyone? I am guessing that logging out of a manager part is done in js. Is that correct? If so what URL is the one that handles the actual logging out?
Not sure if I'm of any help here but if you visit <cm-root-location>/Apps/Shell/Pages/logout.aspx you get logged out of your session.
If you want to investigate further the .xml-file that configures the logout button can be found under "~/Apps/Shell/Config/View/TopMenu.xml". There you'll see the <button>-tag for id="SignOutBtn" that is configured to run the command "ECF_Top_SignOut".
ECF_Top_SignOut is specified in the same file and is configured with a <ClientScript>-tag that does "CSManagementClient.OpenInternal('~/logout.aspx')".
There are acctually two approaches to achieve this if not even more.
First one is to add this piece of code to the Startup.cs
app.Map(logoutUrl, map =>
ctx.Authentication.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
Note: line after Signing out actually did a trick for me.
Second one is that IT department responsible for actually setting up ADFS has to run the powershell script to handle Logout URL used for both CMS or Commerce part. In this way ADFS would be responsible to strip the user of all the claims. This is a better way of solving this in my oppinion.
Here is some info on ADFS and how to do a OIDC logout, it should be just a matter of adding a hint-parameter when redirecting to the IDP and then listen on the logout endpoints in each connected application.
But then again the issue here was that Epi has buried some calls inside JS? It can also be a bit confusing that the OWIN layer intercepts and might return a status that in the JS might not be ready for. That should be easy to emulate though.