Owin身份验证单点注销

Question

I've got a custom Authentication middleware working for single sign-on. I'm wondering how I should go about implementing a single sign-out solution.

I need to call Authentication.Signout() to signout of my application, but I then need to redirect the user to the sign out endpoint of our custom STS. Where should I handle this? Invoke ? ApplyResponseGrant ? Not in the handler at all, but just a manual redirect?

edit: This is an MVC app. I have everything working EXCEPT linking the local logout to logging out of the STS. Adding my existing code here would do nothing but obfuscate my question, IMO. If there is a specific piece of code that would help, let me know and I'll add it.

Ideally, I'd like some sort of event or flag that tells me the user is signing out, and then change the response into a 302 to the external logout. If I put this code in the ApplyResponseGrant , I have a feeling it will prevent the CookieAuthentication middleware from clearing the auth cookie. If I put this code in the Logout controller action (after a call to Authentication.SignOut() ), then I leave it up to each application to handle the single sign off.

Answer 1

I got it working. Here's what I did.

In my AccountController , I added a Logout action that returns a Redirect("/signout-custom") .

In my OWIN handler, I watch for that URL in the Invoke method, call my remote sign out endpoint, the local sign out method, and stop OWIN processing.

public override async Task<bool> InvokeAsync() {
    //other code

    if (Request.Path == Options.LogoutCallbackPath) {
        Context.Authentication.SignOut(Options.AuthenticationType);
        Response.Redirect(WebUtilities.AddQueryString(Options.ClauthLogoutUri, "returnUrl", "http://localhost:62506/Home/About"));
        return true;
    }

    //other code

}

The redirect does not interrupt the OWIN flow, so the CookieAuthentication middleware still runs and clears the local auth cookie as it should.