Forum Discussion

Richard_Jones's avatar
Richard_Jones
Icon for Nimbostratus rankNimbostratus
Sep 17, 2014

Logging a user out of ADFS when logging out of APM

I'm working on a project to place APM in front of Exchange 2013 (OWA specifically in this case), which is configured to use ADFS for authentication. I've placed Exchange and ADFS behind separate virtual servers and use Multi-domain SSO to authenticate into APM for both virtuals, plus handle the back-end SSO to ADFS from APM. Everything works great.

 

However, on logout, the APM session gets deleted, but the user's browser still has valid 'FedAuth' and 'FedAuth1' cookies from the ADFS authentication.

 

If a second user (user2) logs into APM (without closing the browser), then the Exchange server will see the valid ADFS cookies created for user1 and connect user2 to user1's inbox. Very bad!

 

Are there any supported methods to remove the ADFS cookies or perform some type of Single-Sign-Out? I know I could always use iRule to muck with the cookie values, etc, but I'd like something more standard than that.

 

Thanks!

 

R

 

APM
application delivery
deployment
devops
iApps
LTM
microsoft
security

2 Replies

Sort By
  • Richard_Jones's avatar
    Richard_Jones
    Icon for Nimbostratus rankNimbostratus
    Sep 17, 2014

    I found the ADFS articles on DevCentral and part 4 talks about the Single Sign Out, which I will test out. But there's still another step that I haven't quite figured out yet. In addition to logging out through OWA, a user could also log out through the Sharepoint links (we're using multidomain SSO, but only Exchange uses ADFS). I need to ensure that if a user clicks logout through Sharepoint, that their ADFS cookies still get deleted. Anyone have ideas on this one?

     

    Thanks

     

    R

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 18, 2014

    Richard,

     

    Can I ask you why have you setup Exchange for ADFS authentication? I've not seen that done before, so curious as to what drives this design. Also, I am a bit surprised that Exchange is not invalidating the auth cookies upon logging user out - else you can do an iRule redirect when doing Exchange logoff to send you to the ADFS logout page that should help invalidate/erase those cookies.