Menu
Ping Federate Logout From IdP flow as from the Ping Federate Documentation
Sequence
User initiates a single logout request. The request targets the PingFederate server’s /idp/startSLO.ping endpoint.
PingFederate sends a logout request and receives responses from all SPs registered for the current SSO session.
PingFederate redirects the request to the IdP Web application’s Logout Service, which identifies and removes the user’s session locally.
The application Logout Service redirects back to PingFederate to display a logout-success page.
But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.
The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service.
Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success.
https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout
Question :
So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource.
What i have tried :
I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.
P.S The awkward thing is when i was using same PF server for configuring both IdP and SP server it was working well. But when i switch to separate instance of PF server for hosting the PingFederate Server the consequence is showing up.
971
An IdP adapter is used to look up session information and provide user identification to PingFederate. Create an SP connection. As an IdP, you manage connection settings to support the exchange of federation-protocol messages (SAML, WS-Federation, or WS-Trust) with an SP or STS client application at your site.
This is the path used to initiate an unsolicited IdP-initiated SSO transaction during which a SAML response containing an assertion is sent to an SP. Typically, a systems integrator or developer creates one or more links to this endpoint in the IdP application or portal to allow users to initiate SSO to various SPs.
PingFederate would act as your identity provider (authentication policies) you would use PingOne to manage the PingID service. The integration between PingFederate and PingID would be the PingID. PingDirectory would act as your identity repository connected to PingFederate via a data store.
PingFederate, in simple terms, is the token provider. PingAccess is the gateway/proxy to your underlying services or APIs.
You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect:
Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)
This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.
If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)
For reference: Just review the implementation of the sample application that you may download here https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip
131
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
