change notification with Active Directory Federation Services

Question

I am implementing ADFS SSO to our .NET applications. For this I implemented AD FS with trust relationship to access our partners IDP.

Now the requirement is to auto logout user from all applications, if any information of particular user changed.

I have looked through different articles but no luck.

Found functionality for AD environment at (Registering change notification with Active Directory using C#)

but not for Federated. Please help and suggest some workarounds.

Thanks

score 0 · Answer 1 · answered Nov 27 '17 at 18:19

0

ADFS only uses AD for authentication and authorisation. There is no other pipeline OOTB.

Also, information to an application is not dynamic. You get claims when you login and nothing after that. To get a new set of claims, you have to logout and login.

You could write a custom attribute store that setup a claim when something changed but this is only invoked when you login so you would immediately logout which would be confusing.

answered Nov 27 '17 at 18:19

rbrayb

46,440
34
114
174

Thanks nzpcmad, is there any way to fetch claims if user already authenticated. – Praveen Nov 29 '17 at 14:03
No - you would have to access AD directly via LDAP queries. – rbrayb Nov 29 '17 at 17:46

change notification with Active Directory Federation Services

1 Answers1