Single Logout (SLO) with external identity provider

[cssjoseth]

We would like clarification on the expected single logout (SLO) behavior when using Duende IdentityServer with an external identity provider.

Setup

• Duende IdentityServer (IDSrv)
• External IdP (e.g., Microsoft Entra ID)
• App1 authenticates via IDSrv (which delegates to the external IdP)
• App2 authenticates directly against the external IdP

Scenario

• The user signs in to App2.
• The user later signs in to App1 and is automatically authenticated due to an existing session at the external IdP (SSO).

Questions

From a design perspective, if the user logs out from App2 (directly at the external IdP), is it expected that this also logs the user out from IDSrv and, by extension, App1?

According to the Duende documentation on external sign-out notifications:
https://docs.duendesoftware.com/identityserver/ui/logout/external-notification

Federated sign-out is described as “automatically supported”, with IdentityServer rendering the necessary logout <iframe> when it receives a federated sign-out request.

Is our understanding correct that, in this model:

• The external IdP should be configured with a front-channel logout URI pointing to the RemoteSignOutPath for the external IdP in IdentityServer, and
• No custom logic (such as overriding OnRemoteSignOut) is normally required?

In our setup, when the external IdP initiates a federated sign-out, the IdentityServer session appears to remain active. We would like to understand whether this is expected by design, a limitation of the scenario (e.g. browser / mixed clients), or whether additional configuration is required.

PS: We have an active Duende license.

[wcabus]

The external IdP should be configured with a front-channel logout URI pointing to the RemoteSignOutPath for the external IdP in IdentityServer

Correct. To set up federated sign-out, you indeed need to configure the front-channel logout URI in Entra ID in this case to end the session at the level of Duende IdentityServer whenever the user signs out from Entra ID, either directly or via App2.

No custom logic (such as overriding OnRemoteSignOut) is normally required?

To flow the logout event through to App1, your App1 client in Duende IdentityServer needs to be configured with either a back-channel logout or front-channel logout URI as well. This is what we mean when we say "automatically supported": Duende IdentityServer renders the <iframe> to trigger front-channel logout requests for every client which has a front-channel logout URI configured, and performs back-channel logout requests when a client has a back-channel logout URI configured.

You can find additional information about these client logout notifications in our documentation.

[cssjoseth]

Thanks for the clarification.

I can confirm that the proposed solution works when the client is configured with front-channel logout.

However, in my testing, Duende IdentityServer does not trigger a back-channel logout, even though the client is configured with a BackChannelLogoutUri. Only the front-channel logout notification is executed.

So at the moment, the behavior I’m observing is:

• ✅ Front-channel logout → triggered correctly
• ❌ Back-channel logout → not triggered

Is there an additional configuration step required to have back-channel logout triggered in this scenario?

[wcabus]

If you temporarily enable debug-level logs for the Duende namespace, you should see some of the following messages if back-channel logout is being triggered. Can you check if you see messages like the following?

[17:03:52 Debug] Duende.IdentityServer.Services.DefaultSessionCoordinationService
Due to user logout, invoking backchannel logout for subject id 16B47FAD6A40C4DE3ABFA8D167089829AEBE6B7188888839A4145EA75DB1EBEC and session id 3A745FEAFDCBFF42DB01911229167A56

[17:03:52 Debug] Duende.IdentityServer.Services.LogoutNotificationService
Client back-channel logout URLs: https://app2.example.org/backchannel-logout

[17:03:52 Debug] Duende.IdentityServer.Services.DefaultBackChannelLogoutHttpClient
Response from back-channel logout endpoint: https://app2.example.org/backchannel-logout status code: 200

If you don't see these messages, then I would double-check if the back-channel logout URI has been configured correctly for the App1 client application.

If you do see these log entries, but back-channel logout doesn't seem to be working in App1, I would set a breakpoint in App1's back-channel logout handler and the custom cookie authentication event class's ValidatePrincipal method, assuming this is an ASP.NET Core web application.

We also have a basic ASP.NET Core MVC sample showcasing how to implement back-channel logout, in case you want to see some sample code. Do note that you would need to implement a more robust version of the LogoutSessionManager class, backed by a database or other type of storage.

[cssjoseth]

When the client used by App1 is registered with a Back-channel logout URL, this is what I observe:

If I log out from App2, I can see in the browser inspector that the front-channel logout URL registered at the external IdP is called:

https://{MyIdentityServer}/signout-entra

This same path (/signout-entra) is registered as RemoteSignOutPath in the OpenIdConnectOptions for the external IdP.

However:

• I do not see the log messages you mentioned.
• A breakpoint in ProcessLogoutAsync(UserSession session) inside DefaultSessionCoordinationService is not hit.

On the other hand, if I log out directly from App1:

• I do see the expected log messages.
• The breakpoint in ProcessLogoutAsync is hit.

This seems to indicate that the back-channel logout configuration for the App1 client is correct, since it works when logout is initiated locally from App1.

Below are the relevant parts of my configuration.

External IdP configuration

Front-channel logout URL:
https://{MyIdentityServer}/signout-entra

IdentityServer registration of the external IdP

authenticationBuilder.AddOpenIdConnect(
    "entra",
    "EntraID",
    options =>
    {
        options.Authority = "https://login.microsoftonline.com/<tenant-id>/v2.0";
        options.CallbackPath = "/signin-oidc-entra";
        options.SignOutScheme = IdentityServerConstants.SignoutScheme;
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.ClientId = "<client-id>";
        options.ClientSecret = "<client-secret>";
        options.SaveTokens = true;
        options.ResponseType = "code";
        options.SignedOutCallbackPath = "/signoutcallback-entra";
        options.RemoteSignOutPath = "/signout-entra";
    });