Reputation: 2451
ADFS 2.0, how to clear the credential cache?
I hit this signout issue for a long time and couldn't find a solution. At the beginning it was my website using ADFS 2.0 couldn't signout even if the correct signout url has been opened. I thought that was some cookies not cleared. After that, I found that it was probably the problem of ADFS server.
I have tried:
- Stop iis server, so I don't have my website at all, just testing adfs.
- Clear my browser cookies. Close and reopen. So it is clean.
- Directly logon to adfs, e.g.: https://mydomain/adfs/ls/?wtrealm=mysite&wa=wsignin1.0 , here i get the popup window for username and password.
- Directly logout by accessing: https://mydomain/adfs/ls/?wtrealm=mysite&wa=wsignout1.0
- Clear my browser cookies.
- Try to logon using url from 3 again. I get logged in and don't see any pop up. In browser developer tool. I see the redirect to my website.
I used Fiddler to capture the traffic, it seems the authentication is using NTLM. Looks like the browser obtained the credentials from somewhere (not in cookies as confirmed). The only way to get the popup back is closing the browser process, and reopen the logon url. Does anyone know how to get it really signout?
Upvotes: 1
Views: 9622
Answers (1)
Reputation: 781
This is because your ADFS service inside your corpnet is using windows integrated authentication and signs you in seamlessly using a fresh AD service ticket to the ADFS service (technically another authentication). This is no different from having an IIS web app that supports windows integrated authentication.
You won't see this if you were accessing from the extranet.
In some scenarios you care about getting user interaction to login. The way to do this is (2012R2 is the choice here)
- Configure MFA on ADFS service and for the application, require MFA. This would essentially seamlessly sign you in, but prompt for the 2nd factor
- Augment (higher security) to ignore any SSO (web SSO by default is 8 hours) and set the 'AlwaysRequireAuthentication' flag on the application.
This gets better with ADFS 2016, where we support prompt=login over WS-Fed or OAuth/OpenIDConnect which will ignore even the Windows SSO pattern.
Hope that helps.
Thanks //Sam (Twitter: @MrADFS)
Upvotes: 0
Related Questions
- ADFS 3.0 OAuth Token Refresh (Windows Server 2012r2)
- ADFS 4.0: Received invalid Client credentials
- Sync ADFS Claims without relogin
- ADFS Federation Authentication does not return token and does not save cookie
- Signing out of ADFS 3.0 in ASP.net MVC app
- ADFS 2.0 Single Sign Out Not Signing Out
- Login to ADFS without prompting for credentials
- wfresh parameter causing ADFS login to fail
- Username/passwd authentication in ADFS through WIF
- How to clear IIS Windows Authentication cache in C#