4

My understanding with regard to Thinktecture's Identity Server 2 is that Single Sign Out is not implemented. In other words, when you sign out of one Relying Party, Identity Server does not sign the user out of any other RPs automatically. I know there have been posts regarding this but I have not been able to find anything on how to extend Identity Server to do this. I've seen some posts that say Identity Server already does this out of the box...if it does I haven't been able to find out how.

I have SSO working just fine with Asp.NET Web Forms, WIF and Identity Server 2, and I'm able to sign out of an RP just fine, but from what I can tell some additional code is required in Identity Server in order to completely sign the user out of any other RPs he might be signed into.

Has anyone extended Identity Server to implement Single Sign Out?

Is this something that can be configured in Identity Server or is there some coding required?

I'd really appreciate some insight if you have it.

Thank you.

TrevorBrooks
  • 3,590
  • 3
  • 31
  • 53

1 Answers1

5

IdentityServer supports single signout via WS-Federation. Your RP would need to make the signout request to IdentityServer to have the user logged out of IdentityServer and any other RP that had authenticated with IdentityServer via WS-Fed. Here's a snippet of how your RP would make such a request:

var sam = FederatedAuthentication.SessionAuthenticationModule;
sam.SignOut();

var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signOutRequest = new SignOutRequestMessage(new Uri(fam.Issuer));
// optional -- put your RP's URL here
// signOutRequest.Reply = "https://localhost:44321/";
var url = signOutRequest.WriteQueryString();
Response.Redirect(url);
Brock Allen
  • 7,385
  • 19
  • 24
  • This is almost identical to the code I was using. After signing out of WebsiteOne with the code snippet you provided, I am redirected to IdSrv and appear to be signed out (the FedAuth cookies are gone). But when I switch over to WebsiteTwo and refresh I expect to be signed out there too but when I do a refresh I'm still signed in to WebsiteTwo and the FedAuth cookies are still there. I have named the cookies WebsiteOne and WebsiteTwo in their respective cookieHandler configs but this doesn't appear to have any affect. – TrevorBrooks Apr 23 '14 at 13:29
  • Not sure then -- you'd have to debug it (or I'd have to repo it locally). – Brock Allen Apr 24 '14 at 00:09
  • 2
    @TrevorBrooks The second website will not be signed out until it checks the token validity for the pre-existing cookie. Same origin policy would prevent the first website or IdentityServer from clearing the second website's cookie. Setting the token lifetime to a lower value will force a validity check sooner, but will increase overhead. – psaxton Aug 26 '14 at 16:08