I have Identity Server 4 running ok performing local authentication for an MVC app working fine. I needed to add support for an external IDP too so I followed the instructions in the documentation and based it on the quickstart code. So its currently configured to use the demo IDP at https://demo.identityserver.io as an external IDP and works fine for login - the user gets redirected to the external IDP for entering their details, my auth server gets back an id_token with user id (subject) which I match to a user in our own user repository. Our auth server then continues the login as per normal issuing its own tokens etc. - so all fine so far.
The problem I have is Sign-Out from the external IDP - if a user signs out from the demo.identityservier.io IDP directly, I need to ensure this filters back to clear up the stored authentication cookies thus requiring the user to sign in again if they attempt to access a protected page in the app.
This works ok if the user logs out of our own ID Server (i.e. the logout page presented by the ID Server has built-in iframes that ensure the MVC app gets tidied up). For the external IDP I would expect a similar thing, but cant see anything.
Here's the startup config registering the external IDP within our local IDP startup.
.AddOpenIdConnect("Ext_oidc", "Ext OpenID Connect", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://demo.identityserver.io/";
options.ClientId = "implicit";
options.ResponseType = "id_token";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
Any suggestions would be greatfully received
Have you provided an end session endpoint URL to the external IDP? If it's defined I'd expect it to be called as part of the explicit sign out process on the external IDP.