We have a situation where we are a Relying Party and are performing a federated log out, but do NOT want to log the user out of their IP-STS.
Has anyone had any experience with this utilizing ADFS? The issue is the automatic request going back to the IDP for logout and we would like to be able to optionally skip that step for certain use cases.
Tricky topic.... And it may well be different on different versions and patch levels of ADFS. In the past you would request wa=wsignoutcleanup1.0 at the first upstream IP. That would cause a signout (clearing of identity cookies) of all RP below it and at itself. That is what you want, isn't it?
But somewhere, someone at Microsoft decided that they would request a signout (with wa=wsignout1.0) at the next IdP too. In my opinion that is a bug. Just test the wsignoutcleanup1.0 request, if it doesn't work report a bug....
