The associated identity provider (IdP) federation deployment manages all logout requests and responses for participating sites. If a participating site returns an error, other participating sites might not receive their logout requests. In this scenario, PingFederate returns an error message to the end users.

The logout messages can be transported using any combination of bindings described for SSO (POST, artifact, or redirect). See the diagrams under SAML 2.0 profiles for illustrations of these message flows.

Note:

When configuring a local loopback connection, in which one PingFederate instance is both the identity provider and the service provider, disable the IdP-Initiated SLO and SP-Initiated SLO options on the Browser SSO window's SAML Profiles tab. These options determine whether SAML logout requests should be sent to the partner during the SLO flow. Those requests aren't necessary and can cause unexpected behavior when the partner connection exists locally. All local sessions for loopback connections are terminated during the SLO flow without the need to send SAML requests.

About session cleanup

When a service provider (SP) receives an SLO request from an IdP, the session creation adapters must handle any session clean-up involving the local application.