Federated Logout with the Katana WS-Federation Middleware

For some reason the Katana WS-Fed middleware does not seem to implement signout cleanup.

This means that your application will ignore federated signout callbacks from the STS which will result in resources like logon cookies not being cleaned up properly.

Here’s a quick fix for your pipeline:

app.Use(async (ctx, next) =>
{
   
var
qs = ctx.Request.Query;
   
var wa = qs.Get("wa"
);

   
if (wa != null
)
    {
       
if (wa == "wsignoutcleanup1.0"
)
        {
           
// clean up resources, e.g. the logon cookie

            ctx.Authentication.SignOut(
"Cookies"
);
        }
    }

   
await next();
});

HTH

This entry was posted in .NET Security, ASP.NET, Katana, OWIN. Bookmark the permalink.

One Response to Federated Logout with the Katana WS-Federation Middleware

  1. Chris says:

    Thank you for documenting this, it saved my bacon today. Very strange that Owin middleware doesn’t support this out of the box when you set UseWsFederationAuthentication… wonder if they will add it someday.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s