Single sign-out

Abstract

Overview of single sign-out including how to notify clients when users sign out, client sign-out endpoints, and Sitecore Host applications sign-out endpoints.

You sign a user out of the Sitecore Identity server (SI server) by removing the authentication cookie. A complete federated sign-out, however, means that you must also consider signing the user out of client applications (and perhaps also up-stream identity providers).

The SI server supports the front-channel specification for server-side clients (MVC applications, for example). You use this to ensure that client applications are informed that a user signs out.

To sign a user out from a server-side client application via the front-channel specification, the signed out page of the SI server must render an <iframe> to notify the clients that the user has signed out. Clients that you want to notify must have the value of the FrontChannelLogoutUris setting specified in the configuration.

The configuration defines sign-out endpoint URIs. You can use multiple subnodes to define more than one URI, or you can use the | symbol to separate URIs within a node. You can also use the {AllowedCorsOrigin} template to simplify the configuration. When you use that template, all origins (hosts) are notified about the sign-out.

You use the FrontChannelLogoutSessionRequired setting to turn sign-out endpoints on and off.

This is an example of a configuration:

<?xml version="1.0" encoding="utf-8"?>
<Settings>
  <Sitecore>
    <IdentityServer>
      <Clients>
        <DefaultClient>
          <FrontChannelLogoutUris>
            <DefaultFrontChannelLogoutUri>{AllowedCorsOrigin}/sitecore/shell/FrontChannelLogout|https://service/extraLogoutEndpoint</DefaultFrontChannelLogoutUri>
          </FrontChannelLogoutUris>
          <FrontChannelLogoutSessionRequired>true</FrontChannelLogoutSessionRequired>
        </DefaultClient>
      </Clients>
    </IdentityServer>
  </Sitecore>
</Settings>

The SI server tracks what clients a user has signed into, and it provides an API GetLogoutContextAsync on the IIdentityServerInteractionService service. This API returns a LogoutRequest object with a SignOutIFrameUrl property that your sign out page must render into an <iframe>.

To perform the sign-out process, clients must implement an endpoint that process requests from the SI server. The Sitecore instance has an implementation at the <Sitecore instance host name>/sitecore/shell/FrontChannelLogout endpoint.

The Sitecore.Plugin.Authentication.OpenIdConnect plugin contains a sign-out endpoint. By default, it is <application host name>/sitecore/shell/FrontChannelLogout, but you can specify another address in the configuration:

<?xml version="1.0" encoding="utf-8"?>

<Settings>
  <Sitecore>
    <Authentication>
      <OpenIdConnectOptions>
        <FrontChannelLogoutEndpoint>/sitecore/shell/FrontChannelLogout</FrontChannelLogoutEndpoint>
      </OpenIdConnectOptions>
    </Authentication>
  </Sitecore>
</Settings>