IdP Session Registry Service
PingFederate uses the IdP Session Registry Service to facilitate single logout (SLO) by tracking assertions issued to Service Provider (SP) partners.
PingFederate uses this service only when acting in an Identity Provider (IdP) role and supports SLO with one or more partner connections.
When PingFederate is in clustered mode, the service proxy uses a group RPC-based, preferred-nodes implementation. The configuration file is <pf_install>/pingfederate/server/default/conf/cluster-idp-session-registry.conf
.
This service supports both adaptive clustering and directed clustering.
For adaptive clustering, PingFederate shares user session-state information with a replica set. If region identifiers are defined, PingFederate shares user session-state information among multiple replica sets across regions. You can optionally override this default behavior in the configuration file.
For directed clustering, all preferred-node approaches are possible with this implementation.
Both adaptive clustering and the subcluster deployment strategies in directed clustering do not support the SAML 2.0 SLO profile using the SOAP binding. If one or more SAML 2.0 connections are configured to support SLO via SOAP, you must choose between the sharing all nodes and designating state servers deployment strategies in directed clustering (see Directed clustering). |
The service proxy uses the class org.sourceid.saml20.service.impl.grouprpc.IdpSessionRegistryGroupRpcImpl
If the IdP session registry is configured with the Directed Clustering - Subclusters state management architecture, the capability to revoke sessions after password change or reset is not supported. |