1

I'm trying to SLO using PingFederate. One of the SP apps is configured to use cookieless session. This SP app in PingFederate is set with the logout URL as being for example 'http://site/logout.aspx', but when the SLO process is triggered, PingFederate successfully redirects the browser to this url, however to a totally different session than the one spawned when the SSO was first made. How do I configure PingFederate to redirect to the SP's logout page reusing the session created in the SSO process?

Edit: I'm sorry I forgot to mention somethings. Actually both the IdP and SP applications are developed in ASP.NET, and by cookieless I mean that the SP application has in its web.config file the following session state configuration 

    <sessionState mode="InProc" cookieless="UseUri" regenerateExpiredSessionId="true" timeout="60" stateNetworkTimeout="30" />

This sessionState configuration makes the url look like 'http://site(S(pvvofbemnrmaixo2emaaeo0t))/Home.aspx', and this is ok for the SSO as when 'http://site/Home.aspx' is called, a new session is created, therefore replacing the url to include "(S(blahblah))", however, when the SP's logout url (http://site/logout.aspx) is called by the SLO process, a new session for the SP site is generated (different from the one originally created by the SSO). Consequently, the original SP site session is not ended.

Andre Ariano
  • 11
  • 3

1 Answers1

1

When you say "configured to use cookieless session" - do you mean the application itself doesn't use cookies to maintain state? If that is the case, how is the session maintained - through URL re-writing?

I assume you are logging into the application via a Ping Identity integration kit (e.g.: Open Token integration). In the Java Integration Kit (for example), the following sample code is provided to do SLO at an SP integrated application:

request.getSession().invalidate();
String returnUrl = “https://<PingFederate DNS>:9031” + request.getParameter(“resume”);
response.sendRedirect(returnUrl);

which indeed relies on the session management within a J2EE application. If it's a new entry point into the app (like it would potentially be for SLO, IdP initiated) - then you would probably need cookies to maintain that state information.

Is it not possible in your SP application integration code to store some session info in a cookie, so you can later invalidate it? Otherwise it's rather tricky to achieve SLO. This isn't so much a PingFederate question, as it is a question on how you maintain user state in your application when a user accesses it directly and they are already logged in.

Scott T.
  • 6,152
  • 1
  • 26
  • 32
  • Sorry I didn't make myself very clear. I just edit the original question to include more details.. – Andre Ariano Nov 25 '11 at 11:45
  • 1
    Thanks for the clarification. My original recommendation stands. In your integration code (for SSO) you will need to save the session state somehow so that when the request comes back to the SLO endpoint in your application - without the usual session info in the link - the application will be able to resolve it. Again, I suggest the easiest way is to stick this in a special SSO session cookie. When SLO request comes in, check for this cookie, then redirect to the application logout: http://site(S())/Logout.aspx – Scott T. Nov 25 '11 at 18:33