SSO with asp.net identity and cookie sharing, should I check the security stamp with the SSO application in every request?
Suppose we have a SSO web application (for example login.company.com) that all users login through it and it sets a cookie for company.com that is used for authentication in all the systems on the subdomains of company.com, for example the human resources system (hr.company.com). The SSO web application uses asp.net identity.
Now we want that the system admin be able to logout the user of all of their sessions in all of the systems in the company, or the admin must be able to change the claims of a particular user and this change should be reflected in all the companies' systems.
Does this require that all the systems that use the SSO check the cookies security stamp with the main SSO web app? What is the best way to do this? Should there be a web service on the SSO web application so that the other web applications can check if the security stamp is valid in every request? How can we do it without affecting performance negatively?
Thanks a lot