Federated Logout with the Katana WS-Federation Middleware

Posted on July 8, 2015 by Dominick Baier

For some reason the Katana WS-Fed middleware does not seem to implement signout cleanup.

This means that your application will ignore federated signout callbacks from the STS which will result in resources like logon cookies not being cleaned up properly.

Here’s a quick fix for your pipeline:

app.Use(async (ctx, next) =>
{
    var qs = ctx.Request.Query;
    var wa = qs.Get("wa");
 
    if (wa != null)
    {
        if (wa == "wsignoutcleanup1.0")
        {
            // clean up resources, e.g. the logon cookie
 
            ctx.Authentication.SignOut("Cookies");
        }
    }
 
    await next();
});

HTH

This entry was posted in .NET Security, ASP.NET, Katana, OWIN. Bookmark the permalink.

1 Response to Federated Logout with the Katana WS-Federation Middleware

  1. Chris says:
    January 19, 2016 at 22:26

    Thank you for documenting this, it saved my bacon today. Very strange that Owin middleware doesn’t support this out of the box when you set UseWsFederationAuthentication… wonder if they will add it someday.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s