Single sign out with hybrid flow

[zonef]

I'm trying to implement single sign out with hybrid flow, however can't figure out how to use sid which is passed via frontchannellogouturl

I have 2 Clients(Client A and Client B) with single sign on in my Identity Server. In login callback i got id_token, code, reference_token, and session_state. Now i want to logout Client B when ClientA is logged out. I configured frontchannellogouturl for both clients and IdentityServer via iframe calls the configured urls. However it passes session id which i can't connect with reference_token or id_token and identify the user to logout. What is the correct way to approach single sign out ?

[brockallen]

I'm trying to implement single sign out with hybrid flow, however can't figure out how to use sid which is passed via frontchannellogouturl

The sid is a claim you get back in the id_token that should be managed as a claim in the session in your client app. If you're in ASP.NET Core 2, then the microsoft OIDC handler already does the right thing for you and handles the front channel signout and validated the sid properly.

[Debasish1014]

Single signout not working for me.If i signout from IdentityServer then my MVC client doesn't signout automatically.I have used OWIN middle ware in MVC application.

[brockallen]

The OWIN/Katana middleware does not support sign-out. You have to implement that endpoint manually.

[Debasish1014]

I have gone through sample apps but have not seen any implementation.Can you refer some example

[brockallen]

https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Clients/MVC%20OWIN%20Client%20(Hybrid)/Controllers/HomeController.cs#L58

[Debasish1014]

Have used the above but it never gets called if i logout from identity server

[Debasish1014]

How can i logout automatically from MVC client if i logout from identity server.Is it possible?

[parkinsona]

@Debasish1014 , did you ever get the logout to be called from IdentityServer? I am having a similar issue.

[DebasishSahoo14]

Hi @parkinsona can you explain in details about the issue

[parkinsona]

@Debasish1014, it turns out, this was working all along, just not in my local environment. I moved it to the integration environment (where everything is on a different hostname) and it worked.

I think there is something strange happening in my local environment, because even when I would login, some of my relying parties would end up on a different session in identity server.

Interestingly, I just switched my identityserver to be running out of iisexpress instead of IIS, and it is working. I am guessing there is something gettin screwed up with how the cookies are being handled in IIS when they all have the same hostname? But I'm not sure. Either way, this gets me around my issue for now.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.