We have a strange problem with our ADFS setup but I can't understand why it's happening.
ADFS is used to connect to Sharepoint that is hosted by a cloud provider. Their domain is called cloudsp.eu. Our internal domain is called "hobnobs.internal.eu"
We have a Web proxy with a public DNS record of "login.cloudsp.eu". The WAP has a published Web Application configured as with External and Internal URLs as https://login.cloudsp.eu.
The internal ADFS Federation service name is login.cloudsp.eu
It also has a hosts entry file for login.cloudsp.eu that points to our internal ADFS server so that it can resolve the name
Our internal DNS then also has an empty DNS zone called login.cloudsp.eu configured to resolve to the internal ADFS server so that clients on the internal network do not resolve to the WAP.
Now, this all works well. Internal clients get SSO without having to go via the WAP and external clients hit the WAP and are then redirected to the ADFS of the cloud provider where they have to authenticate with their Sharepoint credentials.
The problem is this :-
An internal clients connects and authenticates via SSO to ADFS. They then disconnect and connect directly to Internet. When they start their browser again they immediately get the ADFS login of the INTERNAL ADFS server (which, in theory, they should never see). What seems to be happening is that they hit the WAP which forwards the requests to the internal ADFS server which presents the login screen of our internal ADFS server
This only occurs in this specific scenario (i.e. having already connected via SSO) and clearing the browser's cache fixes the issue. So, I'm assuming that ADFS stores some sort of cookie or other token somewhere and the browser is re-using that when it tries to authenticate?
FYI - KMSI and PersistentSSO are both disabled.
