I have an application that is set up to authenticate against a WAAD tenant. The application configuration in the Azure Management Portal specifies two reply URLs for the application:
http://<myapp>.cloudapp.net/
http://localhost:1915/
(Note: the first URL also matches my Realm, if that matters)
In development, my application is set up to use the latter reply URL, and single sign-in works fine. However, when I try to perform a sign-out request:
var config = FederatedAuthentication.FederationConfiguration;
string wtrealm = config.WsFederationConfiguration.Realm;
string wreply = config.WsFederationConfiguration.Reply;
var signoutRequestMessage = new SignOutRequestMessage(new Uri(config.WsFederationConfiguration.Issuer));
signoutRequestMessage.Parameters.Add("wreply", wreply);
signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);
FederatedAuthentication.SessionAuthenticationModule.SignOut();
context.HttpContext.Response.Redirect(signoutRequestMessage.WriteQueryString());
the request fails with an ACS error saying the reply URL is invalid. If I switch to the first reply URL, sign-out works too -- but of course, not in the development environment. What's up?