Federated Logout with the Katana WS-Federation Middleware

Posted on July 8, 2015 by Dominick Baier

For some reason the Katana WS-Fed middleware does not seem to implement signout cleanup.

This means that your application will ignore federated signout callbacks from the STS which will result in resources like logon cookies not being cleaned up properly.

Here’s a quick fix for your pipeline:

app.Use(async (ctx, next) =>
{
    var qs = ctx.Request.Query;
    var wa = qs.Get("wa");
 
    if (wa != null)
    {
        if (wa == "wsignoutcleanup1.0")
        {
            // clean up resources, e.g. the logon cookie
 
            ctx.Authentication.SignOut("Cookies");
        }
    }
 
    await next();
});

HTH

This entry was posted in .NET Security, ASP.NET, Katana, OWIN. Bookmark the permalink.

1 Response to Federated Logout with the Katana WS-Federation Middleware

  1. Chris's avatar Chris says:
    January 19, 2016 at 22:26

    Thank you for documenting this, it saved my bacon today. Very strange that Owin middleware doesn’t support this out of the box when you set UseWsFederationAuthentication… wonder if they will add it someday.

    Reply

Leave a comment