ADFS 3.0单一注销与依赖方STS

Question

I am implementing Single Sign Out functionality. My setup is: ASP.NET Relying Party <-> Relying Party STS <-> SAML2 STS. SAML2 STS has user directory. I am using ADFS 3.0 for Relying Party STS. ASP.NET Relying Party communicates with Relying Party STS using WS-Federation protocol and Relying Party STS communicates with SAML2 STS via SAML2 protocol.

The behavior I am trying to implement is Single Sign Out functionality. When user sign off from ASP.NET application, ASP.NET application sends sign off request to Relying Party STS using FS-Federation protocol. Relying Party STS forwards sign out request to SAML2 STS using SAML2 protocol first time. But if user logs in immediately back and logout again, Relying Party doesn't forward sign out request to SAML2 STS. Instead of forwarding sign out request to SAML2 STS, user sees Logged out pages of Relying Party STS (ADFS 3.0). It seems like ADFS 3.0 maintain MSISSignoutProtocol cookie for 10 minutes and until that cookie is not expired, it doesn't forward sign out request to SAML2 STS.

How can I fix this issue? I want user to get redirected to SAML2 STS by Relying Party STS (ADFS 3.0) always when user logs out. Is there any configuration available to override the behavior that I am seeing on ADFS 3.0?

Answer 1

In your web app, what is the signout URL set to? To work properly with ADFS 3.0 it should be

https://fs.company.com/adfs/ls/idpinitiatedsignon.aspx

For ADFS 2.0 it used to be

https://fs.company.com/adfs/ls/?wa=wsignout1.0

but that causes the behavior you described: it sets the MSISSignOutProtocol cookie which then prevents the MSISAuth cookie from being deleted and keeps the session active.