ADFS 2.0 Single Sign Out Not Signing Out

Ryan Duffing picture Ryan Duffing · Sep 6, 2013 · Viewed 10.3k times · Source

I'm having an issue with a web application I'm writing that implements ADFS 2.0. I am able to get users to sign in just fine, but I do have situations where the user needs to be able to sign out of the application to allow other users to sign in.

What happens is when the user clicks the sign out button it runs through the following method:

    public void SignOut()
    {
        WSFederationAuthenticationModule.FederatedSignOut(new Uri(Properties.Settings.Default.ADFSIssuer),
            new Uri(Properties.Settings.Default.ADFSRealm));
    }

My ADFS Issuer is the https://adfs.domain.com/adfs/ls/ piece, and my ADFS Realm is the main url of my web application.

The application appears to have then signed out. When another user clicks the Login button, it automatically signs them in as the previous user without prompting for credentials.

I've looked at the following resources for assistance and nothing has worked:

https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/195 http://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx

Am I not supposed to be able to signout of an ADFS application without closing the browser?

Answer

Wiktor Zychla picture Wiktor Zychla · Sep 6, 2013

I am only guessing but I suspect that your adfs is configurd for windows authentication while your application has the Login button (it is not clear from your description).

If this is the case then you can't really log out from already authenticated adfs and it happily reissues the token upon the next request from the application. You can't do anything about it since the authentication is performed with ntlm/kerberos and this is the browser that keeps your credentials until you close it.

The solution would be to change adfs to Forms mode (switch the order of providers in adfs web.config) so that not only the adfs has its own cookies but also these cookies are truly removed when you issue the sign out message.