IdP Session Registry Service
PingFederate uses the IdP Session Registry Service to facilitate single logout (SLO) by tracking assertions issued to sSP partners.
PingFederate uses this service only when acting in an identity provider (IdP) role. SLO must be configured for one or more partner connections.
When PingFederate is in clustered mode, the service proxy uses a group RPC-based, preferred-nodes implementation. The configuration file is <pf_install>/pingfederate/server/default/conf/cluster-idp-session-registry.conf
.
This service supports both adaptive clustering and directed clustering.
For adaptive clustering, PingFederate shares user session-state information with a replica set. If region identifiers are defined, PingFederate shares user session-state information among multiple replica sets across regions. You can optionally override this default behavior in the <pf_install>/pingfederate/server/default/conf/cluster-adaptive.conf
file by changing the inter.group.replicate.sessions
parameter to false
.
For directed clustering, all preferred-node approaches are possible with this implementation.
The adaptive clustering and the subcluster deployment strategies in directed clustering don’t support the SAML 2.0 SLO profile using the SOAP binding. If one or more SAML 2.0 connections are configured to support SLO using SOAP, you must choose between the sharing all nodes and designating state servers deployment strategies in directed clustering. Learn more in Directed clustering. |
The service proxy uses the class org.sourceid.saml20.service.impl.grouprpc.IdpSessionRegistryGroupRpcImpl
If the IdP session registry is configured with the Directed Clustering - Subclusters state management architecture, the capability to revoke sessions after password change or reset isn’t supported. |