I recently implemented a centralized security token cache and observed that although the user signs-out and the session cookie is removed from the browser the session token was never removed from the SecurityTokenCache. This is something I would never have observed if I did not implement this cache.
Below the code used to sign a user out from federation.
It turns out that as crazy as this might sound that the order of the module in the web.config is responsible for this odd behavior. If the SessionAuthenticationModule is declared after the WSFederationAuthenticationModule the WSFederationAuthenticationModule does not hook itself up to the SessionAuthenticationModule which is responsible for the session management.
Simply swap the order around in your web.config and this problem will disappear.
<!-- Note the SessionAuthenticationModule must be declared above the WSFederationAuthenticationModule otherwise the session does not get logged out --> <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" /> <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />