PingFederate: SP SLO vs. IDP SLO - Does it really matter?

StackOverflow https://stackoverflow.com/questions/8276103

Pergunta

The PingFederate documentation notes that you may configure either SP or IDP single-log-out (a.k.a. SLO).

A user initiates SLO when that user requests a "Start-SLO" endpoint from their browser (i.e. either http://<PingFederate Base URL>/sp/startSSO.ping or http://<PingFederate Base URL>/idp/startSSO.ping).

My Questions:

  • Isn't this just a distinction in name only?
  • At the end of the day, aren't we just targeting an endpoint anyway?
  • Does this choice have any material impact on the SLO process?

@Scott T. had the following to say here:

If users start the SLO process at the IdP, then yes - users will be redirected back to /idp/SLO.saml2 as the last step. In fact, each SP that you redirect to for logout, will redirect back to the IdP to logout of the next SP. If you start the SLO process from an SP, then the last place users will end up is at that SP's SLO endpoint.

Indeed, it would be nice if PingFederate redirected to the SP that initated the SLO as the last step, but this hasn't been my experience.

Perhaps I should also ask:

  • How do you specify the SP that initated the SLO?

EDIT: Per @Scott T.'s answer here:

I'm assuming here you have PingFederate as an IdP and SP (potentially 2 separate installs).

As I understand the definitions of IdP and SP:

  • PingFederate is neither my IdP nor one of my SPs.**
  • For my configuration, PingFederate merely facilitates the open token transfer between my IdP and my SP.
  • Until very recently, I was of the belief that this was a completely valid configuration.
  • But now it seems like this configuration doesn't facilitate SLO; or at least as nicely as it would if PingFederate was acting as my IdP.
    • Is this correct?

**When I say this, I mean to say that I have:

  • A standalone web application which authenticates users, and has a backing store (i.e. a database) that includes user names and passwords - This acts as my IdP.
  • Multiple standalone web applications which are linked to my IdP which display data and provide functionality to my users - These act as my SPs.
Foi útil?

Solução

I'm assuming here you have PingFederate as an IdP and SP (potentially 2 separate installs). If you want to start the SLO process from your IdP, you would request it at: http://pingfed-idp/idp/startSSO.ping. If you want to star the SLO process from your SP, you would request it at: http://pingfed-sp/sp/startSSO.ping.

There is a slight difference in flow from either model:

If you start at IdP, then the IdP will send a SAML 2.0 LogoutRequest message to each of the SP's (one at a time) where you have an SSO session. Each SP will logout the user from the local session, then redirect back to the SP with a SAML LogoutResponse saying success/fail. The process ends at the IdP once the final SP is done.

If you start at the SP, then that SP will send a SAML 2.0 LogoutRequest to the IdP, then the IdP sends a LogoutRequest to every other SP (one at a time) where you have an SSO session. Each SP will again logout the user from the local session, then redirect back to the SP with a SAML LogoutResponse saying success/fail. Once the IdP is done terminating all sessions - it sends a final LogoutResponse to the original SP that initiated SLO.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top