Today’s topic is one for which I deserve zero credit, I’m just putting out info that one of our crack engineers, Chad Ray, managed to dig up. I wanted to publish it here because I’ve worked with and talked to so many folks in the past who have struggled with getting a truly complete signout experience from SharePoint when using SAML authentication. Chad was doing some digging and ran across a new property (in SharePoint 2013) on the SPTrustedIdentityTokenIssuer called ProviderSignOutUri. As Chad explained to me, you just need to set it to the authentication endpoint of your IdP. So for example, if you are using ADFS as your IdP and the ADFS host name is adfs.contoso.com, then the value you would set this property to is https://adfs.contoso.com/adfs/ls.
Not only will this log you out of your SAML session, it will also invalidate the fedauth cookie that you have locally so you really have to sign in again if you want to access content. Kudos to Chad for finding this and sharing it.