When an IdP PingFederate server receives a request for single logout (SLO), it redirects the user’s browser to the logout service defined in the IdP OpenToken Adapter configuration. The redirect URL includes an OpenToken containing the user attributes defined in the IdP OpenToken Adapter instance for the partner connection. The logout service should remove the user’s session on the application server and redirect the user’s browser back to the IdP PingFederate server.

The following diagram shows the flow of IdP-initiated SLO, but the architecture would also support SP-initiated SLO:

Sequence

  1. User initiates a single logout request. The request targets the PingFederate server’s /idp/startSLO.ping endpoint.
  2. PingFederate sends a logout requests and receives responses for all SPs registered for the current SSO session.
  3. If the application server has an SLO service configured, PingFederate redirects the request to the SLO service, which identifies and removes the user’s session locally.
  4. The application logout service redirects back to PingFederate to display a logout-success page. If the web application does not have an SLO service configured, the adapter redirects back to PingFederate, which displays a logout success page.