To correctly log out, you need to browse to the ADFS sign out url like so:
https://your_sts_server/adfs/ls/?wa=wsignout1.0
Find a control called ID_Logout and rename to ID_Logout2. Apply the following changes and save.
* Update *
In spite of the change above, we still noticed "sticky" logins after the user had signed out (by browsing to the ADFS signout url).
This is because SharePoint 2010 also creates an auth cookie which is saved to local file. The trick is to force SharePoint 2010 to use a session-based cookie, so that it is destroyed when the page is closed. In order to do that, run the following PowerShell script on the SharePoint WFE:
$sts = GetSPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
iisreset
Now with the SharePoint AND ADFS cookies being session based, the user can log off by simply closing their browser window.
One thing to note is that there is another cookie called the Home Realm Discovery Cookie, which is saved to disk. Its purpose is to “remember” the last mode of login. This will not be destroyed. The effect of this will be that if you have multiple sites using ADFS SSO, the last mode of login will be remembered. So if a user last used Live ID, then when another application is accessed, which uses the same ADFS SSO instance, then Live ID will be shown to the user instead of the login "choice" screen.
For special case users like testers, it is better to use In Private browsing mode to be able to choose the login mode in subsequent screens. The user can also delete their cookies to get rid if this persistance behaviour. There is also supposed to be a special url from ADFS that will delete this cookie, but this is not normally shared by the ADFS team.
It works,This change applies to whole farm.. But, only issue is if we have multiple web apps in a farm with some being claims and others windows authenticaiton.
ReplyDeletePhani, a custom user control and a MasterPage edit would be required for a per root level site collection change.
ReplyDeleteHi All,
ReplyDeleteI am facing a problem while doing signout from ADFS2.0 through SharePoint Application.
I have used FederatedSignOut() method,but after clicking on SignOut link it never go back in the SignIn page and shows 'User is Still signing' ..
Please can any one help me how can i signout from ADFS and return back in SignIn page of ADFS through SharePoint Application.
Thanks in advance
Hi All,
ReplyDeleteI am facing a problem while doing signout from ADFS2.0 through SharePoint Application.
When I clicking on SignOut link it never go back in the SignIn page and shows 'User is Still signing' ..
Please can any one help me how can i signout from ADFS and return back in SignIn page of ADFS through SharePoint Application.
Thanks in advance
Did you try out the method suggested in this post?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHere is the sign out url we are using, replace the placeholders with your own value
ReplyDeletehttps://[corp url]/adfs/ls/?wa=wsignin1.0&wreply=[Site to redirectd to]&wtrealm=[Realm]&wctx=[Website Url]%2f_layouts%2fAuthenticate.aspx%3fSource%3d%7b0%7d&whr=[Hint, if applicable, otherwise omit]
Hey there.
ReplyDeleteGreat article!
Do you have any good tips for the "Sign in as different user" method ?
I would like to use the same approach but somehow automaticaly redirect the users to the Sign In Form of ADFS.
Thanks in advance for your answer.
Cheers.
ETienne.
Here is my Sign out URL if this helps. One KEY that made my signout experience better was to add the -UseWReply parameter when creating the SPTrustedIdentityTokenIssuer. This instructs SharePoint to send the users Back to SharePoint after logging out, and because their tokens are all cleared (from all IDP's) SharePoint ends up sending them back to the IDP which for me is our login page. This way you do not end up at the ADFS signout page when you all done. Works great. Also if you have already created your SPTrustedIdentityTokenIssuer, then you can simply modify the UseWReplyParameter setting like this:
ReplyDelete$x = Get-SPTrustedIdentityTokenIssuer
$x.UseWReplyParameter = $true
$x.Update()
Here is my Sign out URL if this helps. One KEY that made my signout experience better was to add the -UseWReply parameter when creating the SPTrustedIdentityTokenIssuer. This instructs SharePoint to send the users Back to SharePoint after logging out, and because their tokens are all cleared (from all IDP's) SharePoint ends up sending them back to the IDP which for me is our login page. This way you do not end up at the ADFS signout page when you all done. Works great. Also if you have already created your SPTrustedIdentityTokenIssuer, then you can simply modify the UseWReplyParameter setting like this:
ReplyDelete$x = Get-SPTrustedIdentityTokenIssuer
$x.UseWReplyParameter = $true
$x.Update()
We are using OAM
ReplyDeleteHow do we generate https://[corp url]/adfs/ls/?wa=wsignin1.0&wreply=[Site to redirectd to]&wtrealm=[Realm]&wctx=[Website Url]%2f_layouts%2fAuthenticate.aspx%3fSource%3d%7b0%7d&whr=[Hint, if applicable, otherwise omit]
I am not clear abour ADFS.
I am trying to signout, cleared aal the cookies etc., but still not able to signout completely
@Anonymous, please re-read the article above. If you have followed my steps, it is likely that your SharePoint cookies are not session based and persisting even after the logout.
ReplyDelete