Thinktecture IdentityServer3 - Single sign out for distributed system

Question

I'm building an distributed system with multiple clients that use a single identity server for authentication. This provides single sign on between these clients.

When a user signs out from one of the clients, and thus signs out from the identity server, can the identity server sign the user out from all other clients ?

I've seen this asked here : Thinktecture identity server 3 Single Sign Out

If the answer is no, would the identity provider have to redirect the user to the sign out URLs of each client that federates with it? Or does the identity server know which clients the user had authenticated with and could be selective in the redirects?

Edit:

Or can the identity provider explicitly call a service on each client to expire that users' session?

Answer 1

To implement Single Sign Out you usually have a page on the STS with img tags for each RP :

<div>
    <img src="http://rp1.com?wa=wsignoutcleanup1.0" />
    <img src="http://rp2.com?wa=wsignoutcleanup1.0" />
</div>

And a timer or a piece of JS to redirect when all images are lodaded. The STS may or may not remember on which RP the user was logged. Asking for a wsingoutcleanup when you haven't signed in is no big deal.

More information available here :

• http://www.tuomistolari.net/blog/2014/11/29/sso-with-windows-identity-foundation-part-vi-single-sign-off
• http://www.wiktorzychla.com/2011/05/wif-ws-federation-and-single-sign-out.html

That being said, I don't know how this is handled in IdentityServer.