ADFS: Sign-out Process

In Active Directory Federation Services (AD FS), we support a WS-Federation passive sign-out request to the relying party security token service (RP-STS) which invokes a sign-out from each web application accessed during the current browser session. The identity provider security token service (IP-STS) is also included in the sign-out process. Note: The RP-STS and IP-STS is the same server in WebSSO scenarios where there is no federated partner.

Single-sign-on to the various web applications is maintained via session cookies in the browser, and the WS-Federation sign-out process will destroy these cookies so that the user will need to provide credentials for subsequent access to those applications.

WS-Federation sign-out URL:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

You can  optionally provide an additional query string parameter to land the user on a specific page once sign-out is complete.

Query string parameter to use for post-sign-out landing:

wreply={post-sign-out_landing_URL}

Full URL using the wreply parameter:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0&wreply={post-sign-out_landing_URL}

Cookies used for WS-Federation sign-out:

AD FS 1.0/1.1 - LSCleanup

AD FS 2.0 - MSISSignOut and MSISSignOutReply (if you use the wreply parameter with the request)

When the user has an active session, each accessed resource and the IP-STS will have an entry in the sign-out cookie.

Reference: http://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx

Feedback and Knowledge Base