---
title: SP single logout (SLO)
description: When an service provider (SP) PingFederate server receives a request for single logout (SLO), it redirects the user's browser to the logout service as configured in the SP OpenToken Adapter instance. As part of the redirect, PingFederate and the OpenToken Adapter include both an OpenToken and a resumePath query parameter.
component: java
page_id: java:setup:pf_java_ik_sp_single_logout_slo
canonical_url: https://docs.pingidentity.com/integrations/java/setup/pf_java_ik_sp_single_logout_slo.html
revdate: June 21, 2024
section_ids:
  sequence: Sequence
---

# SP single logout (SLO)

When an service provider (SP) *(tooltip: \<div class="paragraph">
\<p>In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\</p>
\</div>)* PingFederate server receives a request for single logout (SLO) *(tooltip: \<div class="paragraph">
\<p>The process of signing a user out of multiple sites where the user has started a SSO session.\</p>
\</div>)*, it redirects the user's browser to the logout service as configured in the SP OpenToken Adapter instance. As part of the redirect, PingFederate and the OpenToken Adapter include both an OpenToken and a **resumePath** query parameter.

* The OpenToken includes attributes about the user.

* The **resumePath** query parameter provides the SP with the target URL where the user's browser must return after the application completes the local sign off.

A user can have multiple sessions. This sign-off sequence, as shown in the following diagram, happens for each of the user's sessions controlled by the SP PingFederate server.

![ekx1563995430479](_images/ekx1563995430479.jpg)

## Sequence

1. PingFederate receives an SLO request under the SAML 2.0 protocol.

2. If the application server has an SLO service configured, PingFederate redirects the user to the SLO service, which identifies and removes the user's session locally.

3. The application logout service redirects back to PingFederate to display a sign off success page.

   If the web application does not have an SLO service configured, the adapter redirects back to PingFederate, which displays a sign off success page.

The code needed to perform an SP-initiated SLO *(tooltip: \<div class="paragraph">
\<p>In SAML, an identity-federation transaction in which the initial action for single logout (SLO) occurs at a the service provider (SP) site.\</p>
\</div>)* is identical to that required for an IdP-initiated SLO *(tooltip: \<div class="paragraph">
\<p>An identity federation transaction in which the SLO operation is initiated on the IdP. For example, the user is signed on to the IdP and signs off, triggering an SLO operation on the IdP, which sends the SLO information to the SP.\</p>
\</div>)*.