PingFederate Single Log-Off - How does it work?

single-sign-on saml-2.0 pingfederate
Jim G. picture Jim G. · Nov 22, 2011 · Viewed 11.2k times · Source

Given:

  • PingFederate is a single-sign-on (SSO) solution, which allows users to be authenticated by 1-n applications using a single username and password.

High-Level Questions:

  • How does PingFederate's single-log-off (SLO) feature work?
  • And how does SLO work in general?

Given:

  • To begin the SLO process, we'd expect the user to request the SLO endpoint from the browser (i.e. https://[PingFederateInstance]/idp/startSLO.ping?PartnerSpId=[PartnerSpId]).
  • And we can assume that the PingFederate instance will issue a redirect after a succesful SLO invocation.

Specific Questions:

  • But what if you have multiple applications in multiple browser windows?
  • How could a federated identity provider tell multiple applications to terminate their user sessions?

Answer

Scott T. picture Scott T. · Nov 22, 2011

Direct from the PingFederate Getting Started manual:

"The single logout (SLO) profile enables a user to log out of all participating sites in a federated session nearly simultaneously. The user may log out globally from any site, whether SP or IdP, as determined by respective Web applications. The associated IdP federation deployment handles all logout requests and responses for participating sites."

That said - PingFederate (acting as an IdP) knows which SPs you have federated with in a given session. When the user kicks off SLO (from the example you gave - at the IdP - it could also be initiated from an SP) the users browser (assuming a Redirect or POST binding) is sent to each SP with a SAML LogoutRequest.

If by "multiple browser windows" you mean independent browsers / browser sessions, then indeed PingFederate wouldn't know to logout of all the IdP's. You need to have some common session amongst them. So, if it's just multiple browser windows, but sharing the same session information (e.g.: cookies) this wil work fine.

For more information, you may want to consult section 4.4 of the SAML 2.0 Profiles spec: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Keep in mind PingFederate supports more than just SAML 2.0 - but not all federation protocols support SLO (e.g.: SAML 1.x). Also, many non-PingFederate SAML aware applications don't support SLO.

Related questions

SAML simple example for beginners

I am beginner to the SAML v2.0 technology and I get the theory knowledge but I didn't find any examples on Google. Can anybody provide me with a step by step example for simple "SAML for v2.0". Upto now I've …

Read More
What is exactly RelayState parameter used in SSO (Ex. SAML)?

I am trying to understand SSO using SAML. I have come across the RelayState parameter and am very confused exactly why it comes first in SSO to send encoded URLs? What exactly does it mean? Please read the following from …

Read More
SAML/ADFS node.js implementation guide?

I'd like to preface this by saying that until now, I hadn't even HEARD of SAML, much less developed a SSO strategy involving it. That, combined with the fact that I've barely been doing node for a year makes for …

Read More