1

I am implementing my own SecurityTokenService that's derived from the WIF's STS. Do I need to implement Cancel method compulsorily?

By default Windows Identity Foundation's SecurityTokenService is instanciated per call as stated in this article. If I do not cache anything explicitly (or do something similar), do you see anything that should be taken care of by implementing Cancel method? Does STS or WIF do something in the background that should be handled when user logs out (Cancel method is called) ? e.g. Had I been caching the token, I would have to remove it from the cache in the Cancel method when user logs out.

Learner
  • 4,661
  • 9
  • 56
  • 102

1 Answers1

0

It is up to your implementation. If your STS does not implement the Validate method, there's no point in implementing Cancel.

The intent of Validate is that a recipient can check with your STS whether a token that is within its expiration window has been revoked (perhaps via Cancel).

FWIW, I don't think AD FS supports Cancel and Validate. Few real-world architectures use them.

Note that when a user logs out in AD FS, their session with the AD FS server is revoked. However, any tokens issued by AD FS on their behalf will still be accepted by relying parties.

cldellow
  • 359
  • 6
  • 14