single-sign-onadfs3.0

How do I customize the ADFS 3.0 logout page to force sign out?

We are using ADFS 3.0 with several apps as relying parties. When signing out from a web application the app redirects to: 

https://fs.company.com/adfs/ls/idpinitiatedsignon.aspx

That page then has a Sign in button and a Sign Out button with two options:

  1. Sign out from all the sites that you have accessed (selected)

  2. Sign out from this site

The user selects one of those options and then clicks on the Sign Out button. Is it possible for us force the Sign Out button to be pressed (with the default option) so that the end user doesn't need to do anything?

Solution

  • Looks like I figured it out: the signout page loads a javascript file which can be modified (onload.js). I added a javascript function to that file which sends a click event to the signout button.

    On the ADFS server open PowerShell. See the currently active web theme: 

    Get-AdfsWebConfig

    This was set to Default. Then create a custom web theme based on the default web theme: 

    New-AdfsWebTheme -Name Custom -SourceName Default

    Export the web theme for editing: 

    Export-AdfsWebTheme -Name Custom -DirectoryPath C:\temp

    The file that needs to edited is: C:\temp\scripts\onload.js. Add these lines at the end (I got the ID of the Sign Out button by inspecting the source code of the signout page):

    var signOutPanelExists = document.getElementById('idp_SignOutPanel');

if (signOutPanelExists)
{
    // only click the SignOut button if it is displayed - to avoid endless loop
    if (document.getElementById('idp_SignOutPanel').style.display != 'none')
    {
        var logoutKnopf = document.getElementById('idp_SignOutButton');
        if (logoutKnopf)
        {
           window.onload = function(){ document.getElementById('idp_SignOutButton').click(); }
        }
    }
}

    Upload the modified onload.js: 

    Set-AdfsWebTheme -TargetName Custom -AdditionalFileResource @{Uri='/adfs/portal/script/onload.js';path='C:\temp\script\onload.js'}

    Activate the custom web theme: 

    set-adfswebconfig -ActiveThemeName Custom

    Now when the user logs out of the web app he gets logged out completely w/o having to press another sign out button.

    More info on editing the signin and signout page:

    https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx