AD FS: How to Invoke a WS-Federation Sign-Out

Summary

In Active Directory Federation Services (AD FS), we support a WS-Federation passive sign-out request to the relying party security token service (RP-STS) which invokes a sign-out from each web application accessed during the current browser session. The identity provider security token service (IP-STS) is also included in the sign-out process. Note: The RP-STS and IP-STS is the same server in WebSSO scenarios where there is no federated partner.

Single-sign-on to the various web applications is maintained via session cookies in the browser, and the WS-Federation sign-out process will destroy these cookies so that the user will need to provide credentials for subsequent access to those applications.

WS-Federation sign-out URL:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

You can optionally provide an additional query string parameter to land the user on a specific page once sign-out is complete.

Query string parameter to use for post-sign-out landing:

wreply={post-sign-out_landing_URL}

Full URL using the wreply parameter:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0&wreply={post-sign-out_landing_URL}

Cookies used for WS-Federation sign-out:

AD FS 1.0/1.1 - LSCleanup

AD FS 2.0 - MSISSignOut and MSISSignOutReply (if you use the reply parameter with the request)

When the user has an active session, each accessed resource and the IP-STS will have an entry in the sign-out cookie.

AD FS 2.0 example:

1. The user accessed the web application named ClaimApp: https://adfs2rweb.treyresearch.net:8081/

2. The web application trusts the Trey Research RP-STS: https://adfs2rsts.treyresearch.net/adfs/ls/

3. The user's home realm is Adatum, so we see the IP-STS: https://adfs2asts.adatum.com/adfs/ls/

*The RP-STS URL is not included in the cookie since the RP-STS already knows its own URL, and this is where the WS-Federation sign-out begins.

4. If you take a Fiddler trace during the WS-Federation sign-out, the cookie is base64-encoded, so you'll need to base64-decode its contents to get back to clear text.

Example of base64-encoded cookie:

MSISSignOut=c2lnbm91dDtodHRwczovL2FkZnMyYXN0cy5hZGF0dW0uY29....(cut off for page formatting purposes)

The decoded contents of the sign-out cookie during the active session is the following:

signout;https://adfs2asts.adatum.com/adfs/ls/\signoutCleanup;https://adfs2rweb.treyresearch.net:8081/&ClaimApp&https://adfs2rweb.treyresearch.net:8081/&https://adfs2rweb.treyresearch.net:8081/\

5. When the initial WS-Federation sign-out request is sent to the RP-STS, the RP-STS will first redirect to the IP-STS with a WS-Federation sign-out request. At this same time, the RP-STS sets the sign-out cookie to the user with a new value. The new value no longer contains the IP-STS URL.

The decoded contents of the sign-out cookie after the initial redirect to the IP-STS:

signoutCleanup;https://adfs2rweb.treyresearch.net:8081/&ClaimApp&https://adfs2rweb.treyresearch.net:8081/&https://adfs2rweb.treyresearch.net:8081/\

6. The IP-STS will perform its own WS-Federation sign-out, which will vary by product. If the IP-STS is AD FS 2.0, it will clear out the MSISSignOut cookie that it had originally written to the user.

7. The final step is a request back to the RP-STS: https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignoutcleanup1.0

Upon receiving the wsignoutcleanup1.0 request, the RP-STS responds by clearing out the rest of the MSISSignout cookie. Once the sign-out cookie is empty, the user's session has been terminated and the user will either land on an AD FS sign-out page or be redirected to a URL if the wreply parameter was used during the initial sign-out request.

The empty sign-out cookie will look like this:

MSISSignOut=; expires=Tue, 01-Jun-2010 21:01:32 GMT; path=/adfs/ls

More Information

Detailed information on WS-Federation Sign-out:

http://msdn.microsoft.com/en-us/library/bb608217.aspx

Sections: 2.2, 3.4, 5.3