locked
SAML session persistence in Edge despite clearing cookies and deleting user certificate from personal store RRS feed

  • Question

  • Hello,

    I made a logout simulation on my Edge browser after authentication to an RP using ADFS as IDP (Certificate Authentication)

    If i close the browser, the session is destroyed obviously,

    However, if I logout (SLO not supported) , delete all browser cookies AND delete my user certificate from the personal store, the session stills logs me back in after a refresh ! The IDP Answers me with an SAMLRequest Cookie even if no cookie was sent in the request

    Please note that on Firefox, doing the same steps result in the session destroyed and a prompt for the smart card password.



    My question is : where does Edge fetch my identity from ? since both my cookies and my identity are supposedly deleted ! 

    PS : I'm aware this is not the right category, but I didn't find the appropriate one on the menu.
    Thursday, December 24, 2020 2:23 PM

Answers

  • I'd try asking for help over here.

    adfs - Microsoft Q&A

    ms-edge - Microsoft Q&A

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Biliana Mouzaphirova Monday, December 28, 2020 12:27 PM
    • Marked as answer by Exc_Adm Tuesday, December 29, 2020 1:50 PM
    Thursday, December 24, 2020 3:35 PM