Federated logout on single page application using dotcore api

Question

We are using ItFoxTec library for saml authentication. Federated login is working fine. Problem is with federated logout. scenario is like: We have two application named as mvcapp and singlepageapp(angular). When i click on login button on mvcapp, i redirect to my IDP login page and get back to mvcapp after authentication. There is a link of my singlepageapp on mvcapp . I click on that link, I already logged in IDP,so my api receive a saml token from IDP, api consume token and make a jwt token and redirect me to singlepageapp along with jwt token (Created using saml token) in query string.

Now user click on logout button from mvcapp, a logout request goes to IDP logout endpoint. IDP knows, that this user have logged in these two application and IDP have logout endpoint of these two application. Now IDP make a logout request for singalpageapp(logout endpoint is api endpoint).api doesn't have any cookie but singalpageapp have jwt token on browser. so my question is that, how api will delete jwt token. so that user is logout from both application.

Answer 1

First, if the IdP support both SAML 2.0 and OIDC (OpenID Connect) the best solution is for the mvcapp to use SAML 2.0 and the singlepageapp to use OIDC. Or maybe both apps to use OIDC.

Alternatively, I think the solution is to user OIDC to secure the singlepageapp instead of just JWT, where actually the api also become a IdP. Because the api acts as an IdP the api needs to hold the users session, but it is not possible to use a cookie.

OIDC support user session and logout with OpenID Connect Session Management. This standard also support Session Status Change Notification where the singlepageapp client can call the api IdP to verify if the user session in the JWT is still active.