We currently have problems with Single Sign Out with ADFS 2.0 and an external IP-STS. Our setup is that: RP1 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS RP2 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS
The Single Sign On part works very well that if users have already logged on using Custom IP-STS to access RP1, thereafter they can access RP2 in the same browser session without having to log on again.
However problem comes in sign out process. When users sign out from RP1, by using Fiddler we can see that:
- Sign out request (wsignout1.0) is sent to ADFS
- ADFS transfers sign out request to Custom IP-STS
- Custom IP-STS processes sign out action properly, and then returns back to ADFS
- ADFS does return back to (signed out) RP1
- RP1 is no longer authenticated, so of course is prompted for logging in again (CORRECT)
- HERE IS PROBLEM: RP2 is still able to work without any problem (with previous claim set). And ADFS does not send any wsignoutcleanup1.0 action to RP2.
I assume that ADFS should do sign out for all RPs having the same session, but it doesn't. Am I wrong? Or am I missing some kind of configuration here?
Of course we have option to explicitly send wsignoutcleanup1.0 action to RPs from Custom IP-STS, but we need to parse the "wctx" in order to get the original RP Url which I don't want to. I also tried to send wsignoutcleanup1.0 action back to ADFS from Custom IP-STS (step 3), but it didn't help also.
