We are using IdentityServer4. We have a Windows 2016 server running ADFS (Active Directory Federation Services) version 4.0. This version of ADFS has OpenID Connect endpoints to do active directory authentication. We set this up as an external oidc provider in IdentityServer4. The authentication works fine. What I'm having an issue with is the logout. The current logout correctly disposes of the identity server and client cookies, but doesn't log the user out of the external provider (ADFS). I upgraded the ADFS server so the metadata endpoint exposes end_session_endpoint, frontchannel_logout_supported, and frontchannel_logout_session_supported properties.
What is the proper way to have our identityserver4 implementation also ask the external provider to perform a logout when it does? I'm a little confused by the spec.
http://docs.identityserver.io/en/release/topics/signout_external_providers.html
http://docs.identityserver.io/en/release/topics/signout.html#refsignout
I'm not sure if the front-channel or back-channel is what I should be looking at in this scenario or if this is even related. The spec also mentions a idp value at authentication time that would indicate to the identity server that a external provider needs a logout as well. Is this what I should be looking at? Little lost. Looking for guidance. Thanks!
