PingFederate IIS Integration Kit logout SLO

1
votes

We've installed and configured IIS integration kit for ASPX web-site. SSO works fine, but cannot handle SLO process: 1) we've created "Exit" link: 

https://[PingFederate]/idp/startSLO.ping?PartnerSpId=[partner]&TARGET=[our_site].

2) On PingFederate server our agent has logout URL: 

https://[our_site]/logout.aspx

3) logout.aspx

protected void Page_Load(object sender, EventArgs e)
{
    FormsAuthentication.SignOut();
    Session.Abandon();
    String returnUrl = "https://<PingFederate>" + Request["resume"];


    SFunctions.fnInsSystemLogRSP(returnUrl);

    Response.Redirect(returnUrl);
}

4) After clicking on "Exit" we get link in browser:

https://<our_site>/logout.aspx?resume=/sp/Yh9ls/resume/sp/SLO.ping&opentoken=[token]

5) we get error in red box (coming from Ping Federate): 

Error Single-Sign-On resumePath not whitelisted

6) There is also link from our server support 

https://[Ping Federate]/ext/logout

And if I open this link in browser, it logs me out of PingFederate (if I go to SSO link, I will need to login again), but I can still access application.

Any help appreciated! Might we need to use different procedure for SLO on IIS kit.

Thanks!

1
asp.netpingfederate

1 Answers

1
votes

I've found solution for IIS Integration Kit:

There is no need for logout.aspx which parses "resume" get parameter, and redirects to PingFederate. But we still have it assigned to Exit button

There is CancelURL parameter in pfisapi.conf, which uses regular expersion, so I changed it to 

CancelUrl=/.*logout.*

It means IIS integration kit looks when user access this URL and does logout process.