Logging Out of IdentityServer from Sitefinity

A couple of months ago I wrote about how to get your instance of Sitefinity set up with IdentityServer to create a custom SSO solution. I've been updating my fork on Github to keep it in sync with the original source, since mine isn't anything super special except to add support for Sitefinity.

A few weeks ago someone emailed me about support for logging out. To be honest, my first response in my head was like, "Well yeah, you can log out. Just click the log out link...". Then it hit me - there was no built in way to log out of IdentityServer from Sitefinity. What's expected to happen is when you log out from a relying party website, it removes the IdentityServer token from the browser. So when you try to access a page in Sitefinity that doesn't allow anonymous access, you'll get redirected back to the STS (security token service, i.e. IdentityServer) to log in again. But what would actually happen is that you would automatically be logged in again, instead of being redirected to IdentityServer.

Oops... my bad.

So with some help from the gentleman who emailed me, we came up with a solution. I added the code below to the Sitefinity controller.

var isSignout = query[query.AllKeys.FirstOrDefault(p => p.Equals("sign_out", System.StringComparison.OrdinalIgnoreCase))];

//if this is a signout request, sign out the user and redirect
if (!string.IsNullOrWhiteSpace(isSignout))
{       
    if (isSignout.Equals("true", StringComparison.OrdinalIgnoreCase))
    {
        Tracing.Verbose("Sitefinity logout request");
        FederatedAuthentication.SessionAuthenticationModule.SignOut();
        return Redirect((new Uri(new Uri(realm), reply)).AbsoluteUri);
    }
}

There is apparently an undocumented query string token that you need to add to the logout url called "sts_signout" that will tell Sitefinity to also logout of the STS.

So that takes care of the signout request to IdentityServer. But how do you get Sitefinity to add the query string on logout links in the backend? Well, the solution involves adding a url rewrite rule in the web.config. It works but I'm not crazy about it. I'm definitely open to new ideas cause I feel there's got to be a better way.

 <rewrite>
    <rules>
       <rule name="Sitefinity STS Signout" stopProcessing="true">
          <match url="^sitefinity/signout$" />
          <conditions>
             <add input="{QUERY_STRING}" pattern="sts_signout=true" negate="true" />
          </conditions>
          <action type="Redirect" url="/Sitefinity/Signout?sts_signout=true" appendQueryString="true" redirectType="Temporary" />
       </rule>
    </rules>
 </rewrite>

And there you go. That's how you get logging out of Identity Server from a relying Sitefinity party. If you have any other thoughts on how to make it better, leave a comment, send me a note, or hit me up on Twitter. I've updated everything on my Github fork .

Oh and by the way, this solution (IdentityServer and all) will work with the recently released Sitefinity 6.1.

Tagged with Sitefinity IdentityServer SSO