Single sign-out
You sign a user out of the Sitecore Identity server (SI server) by removing the authentication cookie. A complete federated sign-out, however, means that you must also consider signing the user out of client applications (and perhaps also up-stream identity providers).
Notifying clients when users sign out
The SI server supports the front-channel specification for server-side clients (MVC applications, for example). You use this to ensure that client applications are informed that a user signs out.
To sign a user out from a server-side client application via the front-channel specification, the signed out page of the SI server must render an <iframe>
to notify the clients that the user has signed out. Clients that you want to notify must have the value of the FrontChannelLogoutUris
setting specified in the configuration.
The configuration defines sign-out endpoint URIs. You can use multiple subnodes to define more than one URI, or you can use the |
symbol to separate URIs within a node. You can also use the {AllowedCorsOrigin}
template to simplify the configuration. When you use that template, all origins (hosts) are notified about the sign-out.
You use the FrontChannelLogoutSessionRequired
setting to turn sign-out endpoints on and off.
This is an example of a configuration:
<?xml version="1.0" encoding="utf-8"?>
<Settings>
<Sitecore>
<IdentityServer>
<Clients>
<DefaultClient>
<FrontChannelLogoutUris>
<DefaultFrontChannelLogoutUri>{AllowedCorsOrigin}/sitecore/shell/FrontChannelLogout|https://service/extraLogoutEndpoint</DefaultFrontChannelLogoutUri>
</FrontChannelLogoutUris>
<FrontChannelLogoutSessionRequired>true</FrontChannelLogoutSessionRequired>
</DefaultClient>
</Clients>
</IdentityServer>
</Sitecore>
</Settings>
The SI server tracks what clients a user has signed into, and it provides an API GetLogoutContextAsync
on the IIdentityServerInteractionService
service. This API returns a LogoutRequest
object with a SignOutIFrameUrl
property that your sign out page must render into an <iframe>
.
Client sign-out endpoints
To perform the sign-out process, clients must implement an endpoint that process requests from the SI server. The Sitecore instance has an implementation at the <Sitecore instance host name>/sitecore/shell/FrontChannelLogout
endpoint.
Sitecore Host applications sign-out endpoints
The Sitecore.Plugin.Authentication.OpenIdConnect
plugin contains a sign-out endpoint. By default, it is <application host name>/sitecore/shell/FrontChannelLogout
, but you can specify another address in the configuration:
<?xml version="1.0" encoding="utf-8"?>
<Settings>
<Sitecore>
<Authentication>
<OpenIdConnectOptions>
<FrontChannelLogoutEndpoint>/sitecore/shell/FrontChannelLogout</FrontChannelLogoutEndpoint>
</OpenIdConnectOptions>
</Authentication>
</Sitecore>
</Settings>