In Active Directory Federation Services (AD FS), we support a WS-Federation passive sign-out request to the relying party security token service (RP-STS) which invokes a sign-out from each web application accessed during the current browser session. The identity provider security token service (IP-STS) is also included in the sign-out process. Note: The RP-STS and IP-STS is the same server in WebSSO scenarios where there is no federated partner.
Single-sign-on to the various web applications is maintained via session cookies in the browser, and the WS-Federation sign-out process will destroy these cookies so that the user will need to provide credentials for subsequent access to those applications.
WS-Federation sign-out URL:
You can optionally provide an additional query string parameter to land the user on a specific page once sign-out is complete.
Query string parameter to use for post-sign-out landing:
Full URL using the wreply parameter:
Cookies used for WS-Federation sign-out:
AD FS 1.0/1.1 - LSCleanup
AD FS 2.0 - MSISSignOut and MSISSignOutReply (if you use the wreply parameter with the request)
When the user has an active session, each accessed resource and the IP-STS will have an entry in the sign-out cookie.