ADFS: Sign-out Process

In Active Directory Federation Services (AD FS), we support a WS-Federation passive sign-out request to the relying party security token service (RP-STS) which invokes a sign-out from each web application accessed during the current browser session. The identity provider security token service (IP-STS) is also included in the sign-out process. Note: The RP-STS and IP-STS is the same server in WebSSO scenarios where there is no federated partner.

Single-sign-on to the various web applications is maintained via session cookies in the browser, and the WS-Federation sign-out process will destroy these cookies so that the user will need to provide credentials for subsequent access to those applications.

WS-Federation sign-out URL:


You can  optionally provide an additional query string parameter to land the user on a specific page once sign-out is complete.

Query string parameter to use for post-sign-out landing:


Full URL using the wreply parameter:


Cookies used for WS-Federation sign-out:

AD FS 1.0/1.1 - LSCleanup

AD FS 2.0 - MSISSignOut and MSISSignOutReply (if you use the wreply parameter with the request)

When the user has an active session, each accessed resource and the IP-STS will have an entry in the sign-out cookie.


Feedback and Knowledge Base