What authentication mechanisms do they have configured in ADFS?
Are they using Windows Authentication for Intranet users? If so, this will mean the user won't be prompted to login and ADFS will use the current Windows user's authentication context.
It sounds like ADFS should be configured to use Forms Authentication instead. ADFS will prompt the user to login even if they're logged into Windows and assuming they're not already logged into ADFS (ie they don't have an ADFS authentication cookie).
You have the option to logout the user from ADFS using SAML logout (SLO). This is initiated by calling _samlServiceProvider.InitiateSloAsync and demonstrated by our ExampleServiceProvider project. However, in a shared environment, I recommend not relying on this completely and prompting the user to close the browser to ensure all authentication sessions are closed.
There is a ForceAuthn flag that may be included with the SAML authn request sent to ADFS. This is supposed to mean the IdP will force the user to login even if they already have an authentications session with the IdP. However, not all IdPs support this and I'll have to double check if ADFS does. You can specify this flag when calling _samlServiceProvider.InitiateSsoAsync by setting SsoOptions.ForceAuthn.
Regards ComponentSpace Development
|