stackoom
  简体   繁体   中英

PingFederate IdP-initiated Logout, redirect to TargetResource

 原文  2014-07-10 05:26:09       single-sign-on/ federated-identity/ pingfederate

Question

Ping Federate Logout From IdP flow as from the Ping Federate Documentation

Sequence

  1. User initiates a single logout request. The request targets the PingFederate server's /idp/startSLO.ping endpoint.

  2. PingFederate sends a logout request and receives responses from all SPs registered for the current SSO session.

  3. PingFederate redirects the request to the IdP Web application's Logout Service, which identifies and removes the user's session locally.

  4. The application Logout Service redirects back to PingFederate to display a logout-success page.

But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.

The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service .

Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success. 

https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout

Question :

So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource .

What i have tried :

I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.

PS The awkward thing is when i was using same PF server for configuring both IdP and SP server it was working well. But when i switch to separate instance of PF server for hosting the PingFederate Server the consequence is showing up.

1 answers

solution1
 1  2015-07-07 01:37:51

You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect: 

 Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)

This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.

If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)

For reference: Just review the implementation of the sample application that you may download here https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PingFederate RelayState with IdP-initiated SSO Convert site from SP-Initiated SSO Redirect POST to IdP-Initiated SSO POST ADFS 2.0 IDP-Initiated SSO Where to test IdP-Initiated SSO? IdP-initiated SSO without a dedicated SSO server AWS Cognito: support of SSO IdP-initiated workflow IdP-Initiated Web SSO Profile using JAVA and SAML 2.0 Does ADFS 2.0 with WS-Federation support IdP-initiated SSO? PingFederate: SP-Initiated single logout 'SLO' with opentoken adapter SP initiated Single Logout receives a SAML logout request from ADFS IDP instead of SAML Logout Response
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM