Even before I ask my question, I want to clarify that I need single signout for ADFS that is installed on Windows Server 2012 R2 not for ADFS 2.0 or lower version.
This seems to be the very common functionality that must be provided as a standard feature by the STS, but unfortunately looks like it is not.
Here is my use case-
- I have 2 claims aware applications App1 and App2. Both these apps are protected by ADFS (which means they are registered as relying parties in ADFS)
- User tries to access App1 and he is redirected to the ADFS Signin page.
- He/She enters his credentials and is able to access App1. 4 Cookies related to SSO are created for the ADFS domain. 2 cookies (FedAuth1, FedAuth2) are created for App1 domain.
- Now User tries to visit App2 and he gets automatically logged-in without having to enter his credentials again. Now two more cookies (FedAuth, FedAuth1) are created for App2 domain
Till this part everything is working fine.
Now if user logs out of App1. Basically what I'm doing is just re-directing the user to the below url. 'https://[sts-dns-url]/adfs/ls/?wa=wsignout1.0'
Below are the cookie's I noticed that are getting deleted.
- All 4 Cookies on ADFS (like MSISAuth, MSISAuthenticated etc.)
- FedAuth, FedAuth1 cookies of App1 domain
What I would also like to have be deleted? FedAuth, FedAuth2 cookies of App2 domain.
Does anyone know how to do this ? Great if you can share some knowledge here.
Few other things I have tried
Accessing ADFS url in a iframe and tried to read the MSISSignout cookie which has the list of relying parties user has vistied during his SSO session. Was not successful sinceADFS don't like iframe's.
Could someone atleast tell me how to read this MSISSignOut Cookie which is on ADFS domain so I can try to manually call each RP to clear all the cookies ?
All suggestions are welcome!