SP single logout (SLO)
When an service provider (SP) PingFederate server receives a request for single logout (SLO), it redirects the user’s browser to the logout service as configured in the SP OpenToken Adapter instance. As part of the redirect, PingFederate and the OpenToken Adapter include both an OpenToken and a resumePath query parameter.
-
The OpenToken includes attributes about the user.
-
The resumePath query parameter provides the SP with the target URL where the user’s browser must return after the application completes the local sign off.
A user can have multiple sessions. This sign-off sequence, as shown in the following diagram, happens for each of the user’s sessions controlled by the SP PingFederate server.
Sequence
-
PingFederate receives an SLO request under the SAML 2.0 protocol.
-
If the application server has an SLO service configured, PingFederate redirects the user to the SLO service, which identifies and removes the user’s session locally.
-
The application logout service redirects back to PingFederate to display a sign off success page.
If the web application does not have an SLO service configured, the adapter redirects back to PingFederate, which displays a sign off success page.
The code needed to perform an SP-initiated SLO is identical to that required for an IdP-initiated SLO.