5

Given:

  • PingFederate is a single-sign-on (SSO) solution, which allows users to be authenticated by 1-n applications using a single username and password.

High-Level Questions:

  • How does PingFederate's single-log-off (SLO) feature work?
  • And how does SLO work in general?

Given:

  • To begin the SLO process, we'd expect the user to request the SLO endpoint from the browser (i.e. https://[PingFederateInstance]/idp/startSLO.ping?PartnerSpId=[PartnerSpId]).
  • And we can assume that the PingFederate instance will issue a redirect after a succesful SLO invocation.

Specific Questions:

  • But what if you have multiple applications in multiple browser windows?
  • How could a federated identity provider tell multiple applications to terminate their user sessions?
Jim G.
  • 15,141
  • 22
  • 103
  • 166

1 Answers1

4

Direct from the PingFederate Getting Started manual:

"The single logout (SLO) profile enables a user to log out of all participating sites in a federated session nearly simultaneously. The user may log out globally from any site, whether SP or IdP, as determined by respective Web applications. The associated IdP federation deployment handles all logout requests and responses for participating sites."

That said - PingFederate (acting as an IdP) knows which SPs you have federated with in a given session. When the user kicks off SLO (from the example you gave - at the IdP - it could also be initiated from an SP) the users browser (assuming a Redirect or POST binding) is sent to each SP with a SAML LogoutRequest.

If by "multiple browser windows" you mean independent browsers / browser sessions, then indeed PingFederate wouldn't know to logout of all the IdP's. You need to have some common session amongst them. So, if it's just multiple browser windows, but sharing the same session information (e.g.: cookies) this wil work fine.

For more information, you may want to consult section 4.4 of the SAML 2.0 Profiles spec: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Keep in mind PingFederate supports more than just SAML 2.0 - but not all federation protocols support SLO (e.g.: SAML 1.x). Also, many non-PingFederate SAML aware applications don't support SLO.

Jim G.
  • 15,141
  • 22
  • 103
  • 166
Scott T.
  • 6,152
  • 1
  • 26
  • 32