When an SP PingFederate server receives a request for SLO, it redirects the user’s browser to the logout service as configured in the SP OpenToken Adapter instance. As part of the redirect, PingFederate and the OpenToken Adapter include both an OpenToken and a resumePath query parameter.

  • The OpenToken includes attributes about the user.
  • The resumePath query parameter provides the SP with the target URL where the user's browser must return after the application completes the local logout.

A user can have multiple sessions. This logout sequence, as shown in the following diagram, will occur for each of the user’s sessions controlled by the SP PingFederate server.

Sequence

  1. PingFederate receives an SLO request under the SAML 2.0 protocol.
  2. If the application server has an SLO service configured, PingFederate redirects the user to the SLO service, which identifies and removes the user’s session locally.
  3. The application logout service redirects back to PingFederate to display a logout-success page. If the web application does not have an SLO service configured, the adapter redirects back to PingFederate, which displays a logout success pagel.

The code needed to perform an SP SLO is identical to that required for an IdP SLO.