0

I'm building an distributed system with multiple clients that use a single identity server for authentication. This provides single sign on between these clients.

When a user signs out from one of the clients, and thus signs out from the identity server, can the identity server sign the user out from all other clients ?

I've seen this asked here : Thinktecture identity server 3 Single Sign Out

If the answer is no, would the identity provider have to redirect the user to the sign out URLs of each client that federates with it? Or does the identity server know which clients the user had authenticated with and could be selective in the redirects?

Edit:

Or can the identity provider explicitly call a service on each client to expire that users' session?

Community
  • 1
  • 1
MrDeveloper
  • 1,041
  • 12
  • 35

1 Answers1

2

To implement Single Sign Out you usually have a page on the STS with img tags for each RP :

<div>
    <img src="http://rp1.com?wa=wsignoutcleanup1.0" />
    <img src="http://rp2.com?wa=wsignoutcleanup1.0" />
</div>

And a timer or a piece of JS to redirect when all images are lodaded. The STS may or may not remember on which RP the user was logged. Asking for a wsingoutcleanup when you haven't signed in is no big deal.

More information available here :

That being said, I don't know how this is handled in IdentityServer.

Guillaume
  • 12,824
  • 3
  • 40
  • 48
  • This might be seen as insecure as we're asking the user (the entity we trust the least and have no control over) to be responsible for signing the user out of all services. I presume that is why when performing a single-sign-out we sometimes see the message 'We could not log you out successfully' to alert the user of this fact. – MrDeveloper Jun 04 '15 at 13:39
  • The img indicates whether the logout worked on the RP. The logout page can display a list with an icon indicating whether the logout suceeded for each RP. – Guillaume Aug 18 '16 at 07:45