Trouble with ADFS Logout due to `MSSignOutProtocol` Cookie Behavior

Question

I'm trying to implement ADFS logout in my application, but I'm running into issues due to how cookies are handled during the logout process. Here’s the sequence of events I’m observing:

1. Login Flow:

   • After a successful login to ADFS, the following cookies are set:
     • MSISAuth
     • MSISAuth1

2. Logout Flow:

   • When I perform a logout by navigating to https://...adfs/ls/?wssignout=1.0, ADFS logs the user out and POSTs a redirect to my endpoint with a SAMLRequest containing session information.
   • Upon logout, the following cookies are deleted:
     • MSISAuth
     • MSISAuth1
   • However, the following new cookie is created:
     • MSISSignoutProtocol (with a 10-minute expiry time).

3. Second Login:

   • After logging in again in the same browser, the cookies MSISAuth and MSISAuth1 are recreated.

4. Logout Behavior on Second Attempt:

   • On a subsequent logout attempt in the same browser, the cookies MSISAuth and MSISAuth1 may not be deleted, depending on whether the MSISSignoutProtocol cookie has expired or been deleted.

What I've Tried:

• I’ve tried using the passport-saml.js saml logout method to generate a logout request, but it didn’t work.
• I also tried using the generateLogoutResponseUrl method to create a SAMLResponse, but that didn’t work either.

Problem: The logout behavior seems to be inconsistent due to the MSISSignoutProtocol cookie. I’m unable to reliably log out a user once they’ve logged in again, especially after a successful logout. The logout works if I delete or wait for this cookie to expire. I am using passport-saml.

Question: Has anyone encountered this issue with ADFS logout, and how can I resolve it? Is there a recommended way to handle the MSISSignoutProtocol cookie or properly implement a logout flow with ADFS using passport-saml.js?