IdP single logout integration
When an IdP PingFederate server receives a request for SLO, it redirects the user’s browser to the Logout Service defined in the IdP OpenToken Adapter configuration. The redirect URL includes an OpenToken containing the user attributes defined in the IdP OpenToken Adapter instance for the partner connection. The Logout Service should remove the user’s session on the application server and redirect the user’s browser back to the IdP PingFederate server.
Logout flow
The following diagram shows the flow of IdP-initiated SLO, but the architecture would also support SP-initiated SLO.
-
User initiates a single logout request. The request targets the PingFederate server’s
/idp/startSLO.ping
endpoint. -
PingFederate sends a logout requests and receives responses for all SPs registered for the current SSO session.
-
PingFederate redirects the request to the IdP web application’s Logout Service, which identifies and removes the user’s session locally.
-
The application Logout Service redirects back to PingFederate to display a logout-success page.
Processing logout requests
The following code snippet shows how to process a logout request and send it back to PingFederate through the user’s browser:
// Remove local session . . . . IDictionary userInfo = new Dictionary<String, String>(); // Add userId for the logged on user as the token subject userInfo.Add(Agent.TOKEN_SUBJECT, <userId>); String returnUrl = "https://<PingFederate DNS>:9031" + Request["resume"]; Response.Redirect(returnUrl);