When an SP PingFederate server receives a request for SLO, it redirects the user’s browser to the Logout Service as configured in the SP OpenToken Adapter instance. As part of the redirect, PingFederate and the OpenToken Adapter include both an OpenToken and a resumePath query parameter.
- The OpenToken includes attributes about the user.
- The resumePath query parameter provides the target application URL.
A user can have multiple sessions. This logout sequence, as shown in the following diagram, will occur for each of the user’s sessions controlled by the SP PingFederate server.
- PingFederate receives an SLO request under the SAML 2.0 protocol.
- PingFederate, via the OpenToken Adapter, redirects the browser to the Application Server’s Logout Service.
- The Logout Service returns to PingFederate, indicating that the logout was successful.
The code needed to perform an SP SLO is identical to that required for an IdP SLO. (See Sample code.)