Alexander Zeitler

No more leaky abstractions

WS-Federation-SignOut with Thinktecture IdentityServer 2

Geschrieben von Alexander Zeitler am 09. August 2014

Tags: englishwsfederationidentityserver

Beside Single Sign On (SSO), Thinktecture IdentityServer 2 also provides Single Sign Out for WS-Federation. This post shows how to use it from a ASP.NET MVC Relying Party.

Lets consider, in IdentityServer, you created a Relying Party and WS-Federation is set up already (otherwise you also won’t be able to do SSO :) ) hosted at Given your applications sign out link points to your AccountController, the federated sign out can be implemented this way:

public class AccountController : Controller
    public ActionResult Index() {
        return View();

    public void SignOut() { 
        if (User.Identity.IsAuthenticated) {

            var signOutRequest =
                new SignOutRequestMessage(new Uri(
                        FederatedAuthentication.WSFederationAuthenticationModule.Issuer)) {
                            Reply = ""

Hitting the “Logout” button in your application will invoke the SignOut Action of the AccountController which will sign you out from IdentityServer.
As we provided the optional Reply-URL, IdentityServer will render a link which allows you to head back to your application after performing the Sign Out:

blog comments powered by Disqus