For some reason the Katana WS-Fed middleware does not seem to implement signout cleanup.
This means that your application will ignore federated signout callbacks from the STS which will result in resources like logon cookies not being cleaned up properly.
Here’s a quick fix for your pipeline:
app.Use(async (ctx, next) =>
var qs = ctx.Request.Query;
var wa = qs.Get("wa");
if (wa != null)
if (wa == "wsignoutcleanup1.0")
// clean up resources, e.g. the logon cookie