Imagine the following scenario.

User visits a site A (ASP.NET), authenticates using ADFS and gets a set of claims . At some point, they need to register for an additional service so they are redirected to a provisioning site B (ASP.NET) (also using ADFS – so SSO) where they register by entering their relevant details and are redirected back to A.

However, part of the provisioning process added attributes to a repository (normally AD) and we would like those attributes to form part of their claim set.

To do this they have re-authenticate? Is the best way to do this by forcing a federated logout? Would this be done by site A or site B?

If they are internal users using WIA, they would be logged in “behind the scenes” and the whole process would be transparent.

What if they are external users using FBA? Wouldn’t they have to log-in again? Given that this is not a very satisfactory user experience, is there a way around this?

There are some references out there that talk about writing a signed token as a cookie to the client browser and then the STS later authenticating the SSO token from the cookie. How would you do this with ADFS?

Have a look at the blog post I wrote about a similar scenario:

Refreshing Claims in a WIF Claims-Aware Application

In this case, the user is logged out locally but then redirected back to ADFS where they are "signed back in" since their ADFS cookie is still valid. This little hop is mostly transparent to the user and will update the claims.