PingFederate SLO issue with mulltipartner

Question

I am using PF 5.2.0 to setup an IdP and also multiple SP's. My question is about the single Logout senario.

if session has been established by SP1 and SP2 with my IdP then on IdP initiated logout it works fine by issuing samlp:LogoutRequest to both the SP's. Am facing an issue if one of SP's is down after establishing an session with the IdP then SLO does not complete, meaning if SP1 is down then samlp:LogoutRequest is not send to SP2 assuming the first logout request is sent to SP1 which is down.

I am using POST binding, but I believe this will be the same result for redirect as well

awaiting in anticipation for your comments..

-Vj

Answer 1

Vj -

This is "by design" behavior with front-channel SAML 2.0 SLO and really doesn't have anything specific to do with PingFederate. It's also one of the reasons you don't see many Enterprises using SLO.

One of the drawbacks of SAML2.0 SLO is that it can be very fragile. As you have noticed, if any of the SPs fail to return a response to the IDP, the entire transaction is stopped since the IDP is waiting to resume the transaction. Unfortunately, this is just how front-channel SAML 2.0 SLO works. I believe with SOAP-based SLO, since the browser is never involved, it does not have the same limitation. However, this requires the SP to keep the user's state in a database that can be removed when it receives the SLO request w/out the need to also get access to the user's browser cookies to remove the session (since the browser will never visit the SP in this scenario).

HTH --Ian