Alexander Zeitler

No more leaky abstractions

WS-Federation-SignOut with Thinktecture IdentityServer 2

Geschrieben von Alexander Zeitler am 09. August 2014

Tags: englishwsfederationidentityserver

Beside Single Sign On (SSO), Thinktecture IdentityServer 2 also provides Single Sign Out for WS-Federation. This post shows how to use it from a ASP.NET MVC Relying Party.

Lets consider, in IdentityServer, you created a Relying Party and WS-Federation is set up already (otherwise you also won’t be able to do SSO :) ) hosted at https://application.contoso.org. Given your applications sign out link points to your AccountController, the federated sign out can be implemented this way:

public class AccountController : Controller
{
    [Authorize]
    public ActionResult Index() {
        return View();
    }

    [AllowAnonymous]
    public void SignOut() { 
        if (User.Identity.IsAuthenticated) {
            FederatedAuthentication.SessionAuthenticationModule.SignOut();

            var signOutRequest =
                new SignOutRequestMessage(new Uri(
                        FederatedAuthentication.WSFederationAuthenticationModule.Issuer)) {
                            Reply = "https://application.contoso.org"
                };
            Response.Redirect(signOutRequest.WriteQueryString());
        }
    }
}

Hitting the “Logout” button in your application will invoke the SignOut Action of the AccountController which will sign you out from IdentityServer.
As we provided the optional Reply-URL, IdentityServer will render a link which allows you to head back to your application after performing the Sign Out:

blog comments powered by Disqus