Remove From My Forums

Change notification with Active Directory Federation Services

Question
0

Sign in to vote
I am implementing ADFS SSO to our .NET applications. For this I implemented AD FS with trust relationship to access our partners IDP.

Now the requirement is to auto logout user from all applications, if any information of particular user changed.

I have looked through different articles but no luck.

Found functionality for AD environment at https://stackoverflow.com/questions/2002606/registering-change-notification-with-active-directory-using-c-sharp

but not for Federated. Please help and suggest some workarounds.

Thanks
- Edited by Praveen2m Monday, November 27, 2017 3:42 PM
Monday, November 27, 2017 3:42 PM

Answers

0

Sign in to vote
Hi!

ADFS does that automatically. A user is given a token for an application that lasts for a specific amount of time. When the token's lifetime runs out, the user will return to ADFS. If the user's account was disabled, the user deleted or their password changed, they won't be able to get a new token (immediately). For the password change case, a user will have to sign in freshly.

So - the functionality is there - however, the app might not immediately learn. You can change the token lifetime for the app to something lower (30 minutes?), so the user will have to ping back with ADFS and get a renewal token from time to time.

Thanks,

Florian
The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.
- Proposed as answer by San4wish Friday, December 15, 2017 6:23 AM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, January 9, 2018 2:53 AM
Wednesday, December 13, 2017 7:47 PM

All replies

0

Sign in to vote

Hello,

what kind of user information change that you need to trigger a logout? Is the change from the .Net App side or from the IDP?
Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

Friday, December 1, 2017 7:04 AM
0

Sign in to vote

We need to logout user if disabled from AD server. we are using SAML 2.0 for authenticating user.

Wednesday, December 13, 2017 6:05 PM
0

Sign in to vote
Hi!

ADFS does that automatically. A user is given a token for an application that lasts for a specific amount of time. When the token's lifetime runs out, the user will return to ADFS. If the user's account was disabled, the user deleted or their password changed, they won't be able to get a new token (immediately). For the password change case, a user will have to sign in freshly.

So - the functionality is there - however, the app might not immediately learn. You can change the token lifetime for the app to something lower (30 minutes?), so the user will have to ping back with ADFS and get a renewal token from time to time.

Thanks,

Florian
The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.
- Proposed as answer by San4wish Friday, December 15, 2017 6:23 AM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, January 9, 2018 2:53 AM
Wednesday, December 13, 2017 7:47 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Change notification with Active Directory Federation Services

Question

Answers

All replies