---
title: Implement SSO and SLO
description: You can implement both single sign-on (SSO) and single logout (SLO) with AM SAML 2.0.
component: pingam
version: 8.1
page_id: pingam:am-saml2:saml2-sso-slo
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-saml2/saml2-sso-slo.html
keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation"]
page_aliases: ["saml2-guide:saml2-sso-slo.adoc"]
section_ids:
  sso-integrated: Integrated or standalone mode
---

# Implement SSO and SLO

You can implement both single sign-on (SSO) and single logout (SLO) with AM SAML 2.0.

SSO is the ability to log in once but access multiple applications, whereas SLO is the ability to terminate multiple login sessions by logging out of one central place.

AM provides two ways to implement SSO: *integrated mode* and *standalone mode*. You must use standalone mode to implement SLO because integrated mode supports SSO only.

SSO can be initiated either from the SP or the IdP:

* SP-initiated SSO

  The SP initiates the login request.

  A common reason to choose SP-initiated SSO is the ability for end users to access specific URLs within the application immediately upon login.

  For example:

  1. If an end user navigates to the SP first, then the SP directs them to the IdP for the login.

  2. If the end user already has a session on the IdP, then the IdP redirects them back to the SP with a SAML assertion.

  3. If the end user doesn’t have a session, they enter their credentials. After a successful login, they are redirected back to the SP with a SAML assertion.

  4. The end user can access the SP application.

  Find an example use case in [Grant access to Google Workspace](saml2-introduction.html#saml2-use-case-spinit).

* IdP-initiated SSO

  The IdP initiates the login to the SP.

  An IdP-initiated SSO flow can simplify the user experience by making an application appear part of the IdP’s portal.

  For example:

  1. The end user is already logged into the IdP and clicks the application (SP) they want to access.

  2. The IdP sends a SAML assertion to the SP.

  3. The end user is allowed access to the SP application.

  Find an example use case in [Grant access to a pension application through a workplace portal](saml2-introduction.html#saml2-use-case-idpinit).

## Integrated or standalone mode

Your deployment requirements determine whether you should implement SAML 2.0 in integrated or standalone mode.

* Integrated mode

  This option uses nodes and trees to integrate SAML 2.0 SSO into the AM authentication process. SP-initiated SSO in integrated mode must use the [SAML2 Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/saml2.html).

* Standalone mode

  Access servlet URLs to initiate SSO and SLO.

  |   |                                                                                                                                                                                      |
  | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
  |   | You can also configure web and Java agents to work alongside AM when performing SSO and SLO. Find out more in [Web or Java agents SSO and SLO](using-saml2-with-policy-agents.html). |

**Integrated or standalone mode?**

| Deployment task or requirement                                                            | Implementation mode                                                                                                                                                                                                        |
| ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| You want to deploy only SAML 2.0 SSO using the easiest technique.                         | Use [integrated mode](saml2-integrated-mode.html).                                                                                                                                                                         |
| You want to deploy both SAML 2.0 SSO and SLO.                                             | Use [standalone mode](saml2-standalone-mode.html).                                                                                                                                                                         |
| You want to deploy SAML 2.0 IdP-initiated SSO.                                            | Use a [standalone URL](saml2-standalone-mode.html) to trigger the flow\.Set [configuration](saml2-integrated-mode.html#saml2-integrated-mode-sso-trees-procedure) to run in [integrated mode](saml2-integrated-mode.html). |
| You want to use the SAML 2.0 Enhanced Client or Proxy (ECP) SSO profile.                  | Use [standalone mode](saml2-standalone-mode.html).                                                                                                                                                                         |
| Your IdP and SP instances are using the same domain name; for example, `mydomain.net`.(1) | Use [standalone mode](saml2-standalone-mode.html).                                                                                                                                                                         |

(1) You can’t use integrated mode when both the IdP and SP share a domain name because of the way it tracks the authentication status using a cookie.