we're facing an interesting behaviour of federated authentication. The case is as follows:
- We have 4 sites (relaying parties) connected (or controlled by) to ACS, that ensures login via our STS service.
- If login from one site is fired, ACS contacts STS, STS verifies user and returns result to ACS
- If correct credentials, Master session (valid 10 minutes) is made in STS, and claims are sent back to ACS, which signs it with security token, and returns to caller site.
- On caller site signed FedAuth cookie is made and stored
Now the problem:
- We sign in some of our 4 sites and export all cookies (we use "Edit this cookie" Chrome extension)
- We sign out
- Now we back import these exported cookies
- Reload page
- Federated Authentication module(FAM) checks it, and because FedAuth cookie is valid signed, approves it and user is back signed in
- Note that he's signed in this only one page. On other 3 pages we're unsigned
So, the question is, how can we ensure, that after sign out, FAM knows, that even if the FedAuth cookie is correctly signed, user has been already signed out and therefore deny acces to protected content?
thx in advance