PingFederate: SP-Initiated single logout 'SLO' with opentoken adapter

Question

When doing an sp-initiated SLO while configuring an opentoken adapter for the IdP. I don't get to go to the adapter configured SLO-Service, what actually happens is that I go to the logout endpoint of the SP and that's it, I am not redirected to the SLO Service in the Adapter.

Noting that if I do an Idp-Initiated SLO fine in other scenarios however in this specific SP I am disabling the idp-initiating SLO. should I send any extra information to the idp? is this a normal behavior?

Answer 1

I had the same problem before, basically here are the things you need to check:

1. Make sure you have a value specified in SP Default URLs. To do that:

   a. Access Admin console using https://localhost:9999/pingfederate/app

   b. Then follow this step: SP Configuration > Application Integration Settings > Default URLs

   c. Add default URL under this line: "Provide the default URL you would like to send the user to when Single Logout (SLO) has succeeded."

2. When you are going to initiate the SLO, add TargetResource query string with the value of your redirect URL.

   This is how I implemented it in .NET:

   Response.Redirect(<pingfederate_server_url> & "/sp/startSLO.ping?TargetResource=" & "http://<redirect_url>/", True)

3. Make sure you have set the correct SLO Service URLs in your IdP Connection.

   Sample value of SLO Service URL: https://<idp_DNS>:9031/idp/SLO.saml2

Answer 2

There are Application Endpoints for the IDP and the SP Initiated events. There are also Protocol Endpoints for where the actual protocol messages are received/sent. You are using the Protocol Endpoint which is not correct. For SP-Init SLO you must initiate the process by calling the /sp/startSLO.ping Application Endpoint. here is the documentation on the SP Application Endpoints.