PingFederate Single Log-Off: My IdP issues only one LogoutRequest

Question

Building off of @Scott T.'s answer:

...PingFederate (acting as an IdP) knows which SPs you have federated with in a given session. When the user kicks off SLO (from the example you gave - at the IdP - it could also be initiated from an SP) the users browser (assuming a Redirect or POST binding) is sent to each SP with a SAML LogoutRequest.

When I request https://[PingFederateInstance]/idp/startSLO.ping?PartnerSpId=[PartnerSpId], according to server.log, PingFederate issues only one LogoutRequest.

<samlp:LogoutRequest Destination="https://[PingFederateServerInstance]:[PortNumber]/sp/SLO.saml2" NotOnOrAfter="2011-11-22T23:02:37.812Z" IssueInstant="2011-11-22T22:57:37.812Z" ID="NEDH4Khn4TvWsOwfAZxK_XiEc6f" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer>XXX:IDP</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#NEDH4Khn4TvWsOwfAZxK_XiEc6f">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>Hnec0X3qfYlE2Z9+ooujtD1HKQk=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>L6wmw7RF82s8W2s4YSkwHpnQFo6tFRKUZ3pyK7JEl/7CZyJsxJ5lnfpdaaogm/Gl3S3Y7WoSjbp4
ssaNjtQ3x/nHsYI0zill66yhQ/DNaXAdRuKw6jDi9vqXemkYGx9cNxLkLvc14CUdn9qRA0gZcjyj
ncaZvvWL5Kzy9JOuWSg=</ds:SignatureValue>
  </ds:Signature>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">10072824</saml:NameID>
  <samlp:SessionIndex>dWh6bd58GRgnbLgeYsTWSVXT7pO</samlp:SessionIndex>
</samlp:LogoutRequest>

---

My Question:

• If I've federated with more than one SP, how should I configure PingFederate so that it issues one request per federated SP?

I'm inclined to believe that:

1. I need to configure something on this screen.
2. In agreement with the idea that the multiple SP logout requests are "chained together", the last endpoint URL should be /idp/SLO.saml2.

Answer 1

Let me revise that first answer:

PingFederate knows which SPs you have federated with in a given session.

Should be:

PingFederate acting as the IdP knows which SPs a user has signed into in a given session.

The configuration at PingFederate acting as the IdP would include SLO protocol configuration for each SP connection you have. The screenshot you linked to in (1.) is actually an IdP connection screen, that would be done at PingFederate playing the SP role (maybe that's what you're acting as - it wasn't clear to me in your original query, so I assumed IdP from the nature of your question). You will want to ensure you have configured each SP connection with appropriate SLO endpoints following these instructions. If PingFederate is the IdP it will know to redirect to all SP's that support SLO (and where the user has a session) when a user initiates SLO.

WRT to (2.): If users start the SLO process at the IdP, then yes - users will be redirected back to /idp/SLO.saml2 as the last step. In fact, each SP that you redirect to for logout, will redirect back to the IdP to logout of the next SP. If you start the SLO process from an SP, then the last place users will end up is at that SP's SLO endpoint.