PingOne Advanced Identity Cloud

Implement SSO and SLO

Within SAML 2.0 you can implement single sign-on (SSO) and single logout (SLO). SLO is the ability to terminate multiple login sessions by logging out of one central place.

SSO can be initiated either from the SP or the IdP:

SP-initiated SSO

The SP initiates the login request.

A common reason to choose SP-initiated SSO is the ability for end users to access specific URLs within the application immediately upon login.

For example:

  • If a user navigates to the SP first, then the SP directs to the IdP for the login.

  • If the user already has a session on the IdP, then the IdP redirects the user back to the SP with a SAML assertion.

  • If the user doesn’t have a session, they enter their credentials. After a successful login, the user is redirected back to the SP with a SAML assertion.

  • The user is allowed access to the SP application.

Find an example use case in Grant access to Google Workspace.

IdP-initiated_ SSO

The IdP initiates the login to the SP.

An IdP-initiated SSO flow can simplify the user experience by making an application appear part of the IdP’s portal.

For example:

  • The user is already logged into the IdP and clicks an application (SP) to access the application.

  • The IdP sends a SAML assertion to the SP.

  • The user is allowed access to the SP application.

Find an example use case in Grant access to a pension application through a workplace portal.

Integrated and standalone mode

Advanced Identity Cloud provides the following options for implementing SSO and SLO with SAML 2.0:

Integrated mode

This option uses nodes, in particular the SAML2 Authentication node, to integrate SAML 2.0 SSO into the Advanced Identity Cloud authentication process.

Standalone mode

Access servlet URLs to initiate SSO and SLO.

Use standalone mode for any of the following reasons:

  • You want to trigger SAML 2.0 IdP-initiated SSO.

  • You want to use the SAML 2.0 Enhanced Client or Proxy (ECP) single sign-on profile.

  • Your IdP and SP instances are using the same domain name, for example, mydomain.net.

    Due to the way integrated mode tracks authentication status by using a cookie, it can’t be used when both the IdP and SP share a domain name.

The following table summarizes support for SSO and SLO in integrated and standalone mode.

Mode SSO SLO

Integrated mode

SSO only (1)

Not supported

Standalone mode

Supported

Supported

(1) Only supported if IdP and SP instances are using different domain names.