This project has moved. For the latest updates, please go here.

Do you have sample or link with SignOut request of external identity provider

Dec 31, 2014 at 10:51 AM
Hi,

I need to sent signout information to a third party identity provider. Do you have a sample in which the idp sent a response in a second request?

J.
Coordinator
Dec 31, 2014 at 2:40 PM
In https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs ApplyResponseGrant we set up a PostLogoutRedirectUri for where the client should come back to after the IDP signs them out. The WsFed protocol has something similar.
Dec 31, 2014 at 4:19 PM
Thank you. I studied that already. I am just wondering how the SessionId (something particular which identifies the user) can be sent. How is the redirect handled from the IdP? The user is redirected to that url and then comes back. The relaying party does not have to do anything anymore then? No cookie deletion or what so ever?
Coordinator
Jan 1, 2015 at 5:33 PM
Are you trying to keep track of the user locally during the remote sign-out process? Or are you trying to provide the IDP with additional user information during sign-out so it can do something specific?
Jan 2, 2015 at 1:04 PM
Edited Jan 2, 2015 at 1:04 PM
I need to provide a userId and sessionId to the Idp during sign-out. The idp will then sent singlelogout to other relaying parties to sign out the user as well. I also might receive this request if user signs out through an other application. The idp will initiate sign out with userId and sessionId as well.

I have now stored the userId and sessionId as claims.
Coordinator
Jan 2, 2015 at 5:47 PM
It's up to the IDP and/or protocol to define how to flow data like sessionId and userId. Here are a few examples:

In theory the IDP already knows who the user is if it keeps a sign-in cookie, so you wouldn't have to provide that information.

The OpenIdConnect protocol requires the application to embed an IFrame in the page to keep track of the sessionId for single-sign-out purposes.