ADFS Troubleshooting: signout issue for SharePoint site in IE browser due to FedAuth Cookie

This article discusses a well known SharePoint ADFS signout issue. Let's start with some background on the issue. Imagine you have configured SharePoint with ADFS authentication, everything(login, logout, claims, etc) works except when you try to logout.  You are redirected to a page similar to https://your_sts_server/adfs/ls/?wa=wsignout1.0.

Without closing the browser windows (Logout message says “Sign out: Close browser to complete sign out”) type the SharePoint site URL in address bar. You won’t be asked to login and SharePoint site will be accessible. This shows that the sign out was incomplete.

This is a known issue with SharePoint site working with ADFS authentication, caused by ADFS FedAuth Cookie. In order to have correct sign out behaviour we need to make the FedAuth cookies session based.

We can achieve this by running the following SharePoint PowerShell command:

$sts= Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies= $true
$sts.Update()

 

You need to run above command on a single server but you need to perform IISreset on all SharePoint servers.

 

To understand more about the FedAuth Cookie, check article below:

https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx