0

I have a query on implementing SLO in PingFederate environment for Mobile Application.

We are a Service Provider. Let me explain the Mobile Application flow. Please help me to understand on how can I implement SLO

  1. Mobile application send request to PingFederate to get the Authorization code.
  2. User not authenticated, Request transfered to IDP login page.
  3. IDP login process completed and SP received a SAML Response.
  4. Authorization code has generated and posted to application.
  5. Application contact PingFederate OAuth access token endpoint to collect Access Token
  6. Access token posted to resource, resource server validate the token using PF Endpoint.
  7. User landed to mobile application

When user clicks on application logout button, user logged off successfully from application. User IDP session remains there since mobile application uses Android chrome custom tab for user login. Next time if user open the application active session allow them to enter into application without prompting for credentials. This issue not occurring in IPhone as it uses Safari browser and session will be cleared when user closes the mobile application.

Implementing SLO will fix this issue. However, i haven't done SLO before and i need help on implementing the same.

Which endpoint will mobile application uses to contact PingFederate to initiate SLO to IDP ?

Can someone help me here

https://PFLoadBalanceURL/sp/startSLO.ping ?

user1992
  • 1
  • 1

1 Answers1

1

Yes, since you are the SP, you will start the SLO process at your /sp/startSLO.ping application endpoint.

Andrew K.
  • 3,240
  • 12
  • 23
  • Thanks for your reply @Andrew K. It is working for Desktop application. but, not for mobile application. When i re-open the app still IDP Sessions are alive and able to login without prompting for credentials. As i have already mentioned, Mobile application uses Android chrome custom tab for login page and still session is there even after logout. any idea on how to sort out this issue ? – user1992 Jul 03 '19 at 13:24
  • Put the PingFederate server logging into [debug logging](https://support.pingidentity.com/s/article/Configuring-DEBUG-logging-in-PingFederate-8-2-and-later), and update the question with the log entries that have the same TID from the point of the `/sp/startSLO.ping` transaction. My guess is that SLO failed for some reason. Another option is to open a ticket with the Ping Support team (they'll need that same set of logs). – Andrew K. Jul 03 '19 at 15:22