I set up several test sites for SSO using IdentityServer3, pretty much the cookie cutter sample apps with minor virations. They work well except one thing: When trying to single sign OUT and/or update claims via cookie, it only works if all apps are on the same machine.

For example, these two apps can single sign out.

http://localhost:81
http://localhost:82

Claims updated in one app using the following also show up in the other.

        var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
        authenticationManager.AuthenticationResponseGrant = 
            new AuthenticationResponseGrant(new ClaimsPrincipal(identity), 
                 new AuthenticationProperties { IsPersistent = false });

It also works if I configure the apps like this:

http://mymachine/app1
http://mymachine/app2

But if I mix the two

http://localhost:81
http://mymachine/app2

Then it won't work. Tried SignOut/SignIn too, same result. They still single sign on, but can't sign out together. Change in claims won't show in the other. Of course, same if I deploy the app to different servers. As if the cookies update happened at local machine, rather than on IdSvr.

Any hint what I missed? Thanks.

Single Sign Off is not available out of the box, unfortunately the behavior you were seeing when in the same domain was a bit of a red herring.

Out of the box, when you log out of IdentityServer, your client applications will only find out and log out themselves once they make a new request to IdentityServer (maybe their own application cookie expired and they went to re log in, or maybe they tried to request a token).

To implement Single Sign Off each of your client applications need to have a way of being told by IdentityServer that they need to log out. This can be done using a front-channel HTTP request or by session management.

Check out the IdentityServer Signout Support documentation for more details on how to do this or check out Brock Allen's post on the subject.