Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PingFederate Single Log-Off - How does it work?

Given:

  • PingFederate is a single-sign-on (SSO) solution, which allows users to be authenticated by 1-n applications using a single username and password.

High-Level Questions:

  • How does PingFederate's single-log-off (SLO) feature work?
  • And how does SLO work in general?

Given:

  • To begin the SLO process, we'd expect the user to request the SLO endpoint from the browser (i.e. https://[PingFederateInstance]/idp/startSLO.ping?PartnerSpId=[PartnerSpId]).
  • And we can assume that the PingFederate instance will issue a redirect after a succesful SLO invocation.

Specific Questions:

  • But what if you have multiple applications in multiple browser windows?
  • How could a federated identity provider tell multiple applications to terminate their user sessions?
like image 417
Jim G. Avatar asked Oct 09 '22 10:10

Jim G.


1 Answers

Direct from the PingFederate Getting Started manual:

"The single logout (SLO) profile enables a user to log out of all participating sites in a federated session nearly simultaneously. The user may log out globally from any site, whether SP or IdP, as determined by respective Web applications. The associated IdP federation deployment handles all logout requests and responses for participating sites."

That said - PingFederate (acting as an IdP) knows which SPs you have federated with in a given session. When the user kicks off SLO (from the example you gave - at the IdP - it could also be initiated from an SP) the users browser (assuming a Redirect or POST binding) is sent to each SP with a SAML LogoutRequest.

If by "multiple browser windows" you mean independent browsers / browser sessions, then indeed PingFederate wouldn't know to logout of all the IdP's. You need to have some common session amongst them. So, if it's just multiple browser windows, but sharing the same session information (e.g.: cookies) this wil work fine.

For more information, you may want to consult section 4.4 of the SAML 2.0 Profiles spec: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Keep in mind PingFederate supports more than just SAML 2.0 - but not all federation protocols support SLO (e.g.: SAML 1.x). Also, many non-PingFederate SAML aware applications don't support SLO.

like image 76
Scott T. Avatar answered Oct 26 '22 19:10

Scott T.