Single Sign Out (SSO) is an important feature in Identity Server 4 to ensure that a user's session is terminated across all connected applications when they sign out from one application. Implementing SSO with single sign-out functionality involves the following steps:

  1. Enable SSO in Identity Server 4: Configure Identity Server 4 to enable SSO by setting AllowSignOutAllAuthenticatedClients to true in the AccountOptions:

    services.AddIdentityServer() .AddAccountOptions(options => { options.AllowSignOutAllAuthenticatedClients = true; });
  2. Add a sign-out callback endpoint: Create an endpoint in your Identity Server 4 application to handle the sign-out callback from the client applications. This endpoint should call the SignOutAsync method with the postSignOutRedirectUri parameter set to the URL where the user should be redirected after successful sign-out.

    [HttpGet] [Route("/signout/callback")] public async Task<IActionResult> SignOutCallback(string signOutId) { var logoutRequest = await _interaction.GetLogoutContextAsync(signOutId); await _signInManager.SignOutAsync(); return Redirect(logoutRequest.PostLogoutRedirectUri); }
  3. Configure client applications: Configure each client application (using Identity Server 4 for authentication) to send a sign-out request to the Identity Server's sign-out callback endpoint when the user signs out from the client application.

    app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", AutomaticChallenge = true, AutomaticAuthenticate = true, ExpireTimeSpan = TimeSpan.FromMinutes(60) }); app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "oidc", SignInScheme = "Cookies", Authority = "", ClientId = "your_client_id", ClientSecret = "your_client_secret", ResponseType = "code id_token", SaveTokens = true, Events = new OpenIdConnectEvents { OnRedirectToIdentityProviderForSignOut = async (context) => { // Send a sign-out request to Identity Server's sign-out callback endpoint context.Response.Redirect($"{context.ProtocolMessage.Issuer}/signout/callback"); context.HandleResponse(); } } });
  4. Trigger sign-out from client applications: In each client application, when the user initiates the sign-out process (e.g., by clicking on a "Sign Out" button), call the appropriate authentication sign-out method to trigger the sign-out process.

    // Example: Trigger sign-out from a controller action [HttpPost] [ValidateAntiForgeryToken] public async Task<IActionResult> Logout() { await HttpContext.SignOutAsync("Cookies"); await HttpContext.SignOutAsync("oidc"); return RedirectToAction("Index", "Home"); }

With these steps in place, when a user signs out from any client application, the sign-out request will be sent to the Identity Server's sign-out callback endpoint. The endpoint will sign the user out and redirect them to the specified post-sign-out URL. This ensures that the user's session is terminated across all applications connected to Identity Server.

It's important to note that proper implementation of SSO and single sign-out also requires correct configuration of authentication middleware in both Identity Server and client applications, as well as proper handling of sign-out requests and user session management.

Have questions or queries?
Get in Touch