Login/Register
PingFederate IdP-initiated Logout, redirect to TargetResource
Asked Answered
single-sign-onfederated-identitypingfederate
K

1

7

Ping Federate Logout From IdP flow as from the Ping Federate Documentation

Sequence

  1. User initiates a single logout request. The request targets the PingFederate server’s /idp/startSLO.ping endpoint.

  2. PingFederate sends a logout request and receives responses from all SPs registered for the current SSO session.

  3. PingFederate redirects the request to the IdP Web application’s Logout Service, which identifies and removes the user’s session locally.

  4. The application Logout Service redirects back to PingFederate to display a logout-success page.

But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.

The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service.

Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success.

https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout

Question :

So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource.

What i have tried :

I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.

P.S The awkward thing is when i was using same PF server for configuring both IdP and SP server it was working well. But when i switch to separate instance of PF server for hosting the PingFederate Server the consequence is showing up.

Knocker answered 10/7, 2014 at 5:26 Comment(0)
C
1

You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect:

 Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)

This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.

If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)

For reference: Just review the implementation of the sample application that you may download here https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip

Controversial answered 7/7, 2015 at 1:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.