When an IdP PingFederate server receives a request for SLO, it redirects the user’s browser to the Logout Service defined in the IdP OpenToken Adapter configuration. The redirect URL includes an OpenToken containing the user attributes defined in the IdP OpenToken Adapter instance for the partner connection. The Logout Service should remove the user’s session on the application server and redirect the user’s browser back to the IdP PingFederate server. The diagram below shows the flow of IdP-initiated SLO, but the architecture would also support SP-initiated SLO.

Processing Steps

  1. User initiates a single logout request. The request targets the PingFederate server’s /idp/startSLO.ping endpoint.
  2. PingFederate sends a logout request and receives responses from all SPs registered for the current SSO session.
  3. PingFederate redirects the request to the IdP Web application’s Logout Service, which identifies and removes the user’s session locally.
  4. The application Logout Service redirects back to PingFederate to display a logout-success page.