使用Thinktecture Identity Server 2进行单点注销

Question

My understanding with regard to Thinktecture's Identity Server 2 is that Single Sign Out is not implemented. In other words, when you sign out of one Relying Party, Identity Server does not sign the user out of any other RPs automatically. I know there have been posts regarding this but I have not been able to find anything on how to extend Identity Server to do this. I've seen some posts that say Identity Server already does this out of the box...if it does I haven't been able to find out how.

I have SSO working just fine with Asp.NET Web Forms, WIF and Identity Server 2, and I'm able to sign out of an RP just fine, but from what I can tell some additional code is required in Identity Server in order to completely sign the user out of any other RPs he might be signed into.

Has anyone extended Identity Server to implement Single Sign Out?

Is this something that can be configured in Identity Server or is there some coding required?

I'd really appreciate some insight if you have it.

Thank you.

Answer 1

IdentityServer supports single signout via WS-Federation. Your RP would need to make the signout request to IdentityServer to have the user logged out of IdentityServer and any other RP that had authenticated with IdentityServer via WS-Fed. Here's a snippet of how your RP would make such a request:

var sam = FederatedAuthentication.SessionAuthenticationModule;
sam.SignOut();

var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signOutRequest = new SignOutRequestMessage(new Uri(fam.Issuer));
// optional -- put your RP's URL here
// signOutRequest.Reply = "https://localhost:44321/";
var url = signOutRequest.WriteQueryString();
Response.Redirect(url);