My environment consists of various applications (RPs) federated with ADFS 2016. I'd say 90% of our user base login using forms based authentication since they access these applications from public devices.
Here's our scenario.
Bob goes to Application A, gets redirected to ADFS for a token, Bob then authenticates to ADFS by using forms based authentication and then ADFS grants a token for Application A which Bob then uses to login to Application A. Bob then logs off from Application A which essentially deletes the session Bob had with Application A. Yet, without closing the browser Bob accesses Application A again and instead of getting prompted to once again authenticate using forms based authentication to ADFS, gets redirected to Application A. This is a problem since it could inadvertently allow users to login under other user's accounts if these other users did not close their browsers.
We have been circumventing this by assuring all of our RPs are configured with the "Require users to provide credentials each time at sign-in". Do you guys use this as well ?
Some SAML RPs are configured on their side to always redirect the user to https://adfs.server.com/adfs/ls/?wa=wsignout1.0 which according to MS should only be used for WS-Fed applications as stated here and [here][2] . Have you experienced any issues by redirecting users to that URL ?
Also some RPs have the Endpoint Tab configured with SAML Logout Endpoints and others don’t. Do these Logout Endpoints need to be filled out or is it only needed for applications that don't do this already from their side ?
SAML logout messages should be sent to the SAML endpoint (ie https://adfs.server.com/adfs/ls/). The relying party must have a SAML logout endpoint configured to receive SAML logout messages.
The relying party should send a signed logout message to https://adfs.server.com/adfs/ls/. ADFS should return a signed logout response to the relying party's SAML logout endpoint.
If this SAML logout exchange is successful, the forms authenticated user should be logged out of ADFS. If the logout isn't successful, I suggest taking a look at the ADFS event log for more details.