* Arjun Manoharan <
arjun.m...@zigy.com> [2016-07-13 14:31]:
> First time user logged into ADFS with credentials and I authenticated the
> user. Now the issue is, When the same user is trying to login with
> different credentials, I am unable to see the ADFS login screen, It was
> redirecting to the return url with the previous ADFS users session. If I
> close the browser and again hit the url, I can able to see the ADFS login
> screen.
OK, so you're asking about user switching or account switching when
using Web Single Sign-On (WebSSO or just SSO) within the same browser.
That won't work just like that, since SSO works by establishing a
session with the IDP (referenced in an HTTP Cookie in your web
browser) and as long as that session is active at the IDP (and present
in the browser) you experience "SSO", i.e., you're not asked to
re-authenticate every time an SP sends you to the IDP, which also
means you have no chance to select a different identity to log in
with.
A web browser with HTTP Cookies referencing sessions for many services
on different servers is simply not meant to be shared between several
people (or between several identities of the same person; for the IDP
that's the same thing, it doesn't know that different accounts are
"owned" by the same person).
There are several ways to deal with that.
One is something each subject controls, and that's starting another
browser (or another instance of the same browser, in "private browsing
mode") when you want to switch identities. The good part is that this
works reliably and works everywhere where you either have two
different browsers installed, or where the one browser installed
supports "private browsing mode".
This also allows you to continue working with the previously
established identity and use another browser (instance) for the other
identityy, keeping them both separate.
A very different method would be to (try to) implement SLO (SAML 2.0
Single Logout) everywhere and call logout when you're done with using
the first identity. That should (when done right) destroy any active
sessions at the SP you logged out at/from, at the IDP you got SSO
from, and ideally at any other SP you also used as part of that SSO
session. (That may not always work reliably for many reasons. It may
also not be what you wanted: Maybe you wanted to continue using that
one SP and did not want to logout from that, too.)
Then you'd log in using another identity, just like in the "different
browser (instance") example above, but using only a single browser.
The downsides for the SLO approach are higher technical complexity and
lowered reliability in making this work (as it involves every single
SP and protected application, plus the IDP) and no use of several
identities in parallel is possible. The (only) potential advantage is
that it's maybe easier to explain to technophobes, as it only requires
use of a single browser (instance), and you can't confuse yourself
about what idenity is logged in in what browser (instance). But such
people hopefully do not have to routinely use several identities to
achieve their goals.
There are certainly more ways (e.g. disabling SSP at the IDP
completely) but those all have their downsides and need to be
carefully considered by someone who understands the risks involved.
-peter