We have a website, which our users access by getting an STS from ADFS. ADFS issues claims by checking the user's groups memberships in Active Directory. The website uses WIF to access claims and handle authentication.
Is there a way, when a user's AD data changes (e.g. they have all their group memberships removed), to have those changes reflected immediately (same session, at least from the user's PoV) in their claims for the RP? Currently, if we revoke membership in AD, that user's claims for the RP (in their current session) aren't affected. They have the same claims, and access, that they had before the revocation, until the user's ADFS session expires (which could be hours away).
e.g. user U1 logs in to our website W1 via ADFS, browses round a bit, and then has his memberships cancelled in AD. We need U1 to be logged out of W1 automatically within a short time period (minutes). If not logged out, having their claimset in WIF reset to reflect their now-empty AD group memberships would also be acceptable.
Is this possible? All the documentation I can find seems to assume that the website itself (W1) knows when the user should have their session terminated - in our case W1 doesn't know, the "trigger" for session expiry (or at least claims amendment) will be from AD.
