AD FS Logout of multiple published apps

Question

We have over twenty non-claims applications (Ws-Fed) published through WAP. Each web application proxy application has the following set -EnableSignOut:$True -EnableHTTPRedirect:$True. We are running Windows Server 2016 AD FS.

Each web application uses windows integrated authentication and the users only access the applications externally.

As a developer I am trying to understand how log out of every published application. Currently when the user wants to log out we redirect the user to a single Web Site which has a logoff.html file.

In the HTML file, Javascript creates image requests as follows:
https://app.mydomain/pub1/?wa=wsignoutcleanup1.0
https://app.mydomain/pub2/?wa=wsignoutcleanup1.0
....
https://app.mydomain/pub18/?wa=wsignoutcleanup1.0
https://app.mydomain/pub19/?wa=wsignoutcleanup1.0

Finally once all the image src requests have been made, the window.location is changed to the last application that we want to log out of:
https://app.mydomain/pub20/?wa=wsignoutcleanup1.0

Once this endpoint is hit it automatically redirects the user to:
https://adfs.mydomain/adfs/ls/?wa=wsignout1.0

This appears to work in most instances and the user is logged out. However sometimes, the log out process is slow and when the https://adfs.mydomain/adfs/ls/?wa=wsignout1.0 is hit, the the user is not logged out and is automatically redirected to https://app.mydomain/pub20/ without having to enter their credentials.

I'd really like to know if the process that we are following is correct. Trying to find easy to follow process on how to log out has been a real challenge as a developer. All of the above rely on a single non claims relying party.

Really appreciate some help.

Answer 1

Anyone want to comment on whether the above process is correct?