IDP Initated logout in pingfederate

Question

Hi Any one can help to get out from this Issue.

I'm newbie to pingfederate and tried do IDP Initiated log-out. with the IDP SLO URL appeding TargetResource parameter to redirect after the logout. user logout is working fine and after log off Pingfederate doesnt redirect to TargetResource URL and still showing pingfederate log out page.

EDIT: I'm using PingFederate 6.10 version and from the documentation understand TargetResource parameter can be used to redirect after log-off.

URL for IDP SLO :

https://Machine-IP:9031/idp/startSLO.ping?PartnerSpId=HRIM:SAML2:PRODUCTION-IDP&TargetResource=http://Machine-IP:8005/logout

Am i missing any configuration for the redirection.

EDIT-2:
Below is Ping Federate server log, PF server throws 

"Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Responder
Status Message: Unexpected Runtime Authn Adapter Integration Problem."


entityId: HRIM:SAML2:PRODUCTION-IDP (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: aDz9NF0AZEMnJmAy6EM5N9vq8XNcEA
SignatureStatus: VALID
Binding says to sign: true

09:56:31,632 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:null subject:null
09:56:31,632 WARN  [HandleLogoutResponse] Invalid response: InMessageContext
XML: <samlp:LogoutResponse Destination="https://192.168.2.64:9031/idp/SLO.saml2" InResponseTo="hk6gFs__DcEmUVt.W5B9YJT6e5R" IssueInstant="2015-06-19T13:56:31.363Z" ID="EpSPm27S53BhzqTEnX6OYS-DeLu" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HRIM:SAML2:PRODUCTION-IDP</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#EpSPm27S53BhzqTEnX6OYS-DeLu">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>q7i/J6rrBAvwehMrFnr11sQTg6g=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>KMfBgt792oj3mfQ6JiWklHNUlh8QpDliYhLGr4NPJ5ti6UnvSBQNVOOIuHXpwvodCElEQJR527M/
94erFkCA9SK1rwy/Ib6jyCZPCaim3qLavOmBQOaiY8ymBEqTPeMvtN/IVKSf4yOhAYEmiIHS/rMs
m2D+UY898kgn+L+/SYs=</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    <samlp:StatusMessage>Unexpected Runtime Authn Adapter Integration Problem.</samlp:StatusMessage>
    <samlp:StatusDetail>
      <Cause>org.sourceid.websso.profiles.RequestProcessingException: Unexpected Runtime Authn Adapter Integration Problem.</Cause>
    </samlp:StatusDetail>
  </samlp:Status>
</samlp:LogoutResponse>

entityId: HRIM:SAML2:PRODUCTION-IDP (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: aDz9NF0AZEMnJmAy6EM5N9vq8XNcEA
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Responder
Status Message: Unexpected Runtime Authn Adapter Integration Problem.
-------------------------------------

    09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getRegisteredAuthnBeans(MV8o6ixVX2KuJ9t3lbi5Re) found [IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5] authn beans
    09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getIssuedSessions for authnbean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 assertion ids: []
    09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] getIssuedSessions for authnbean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 assertion ids: []
    09:56:31,632 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: GkIkCfHYlNs9B1UyPtmmiD, name: HtmlFormIdpAuthnAdapter:SESSION): {[email protected], DN=cn=Carol,ou=Users,dc=highroads,dc=com, TargetResource=http://172.25.242.205:8005/index}
    09:56:31,632 DEBUG [IdpSessionRegistryMapImpl] unregisterAuthnBean IdpHashableAuthnBean: 86d72689520858914485566f334f6d3fde4b08d5 from session id MV8o6ixVX2KuJ9t3lbi5Re. Session now has 0 beans associated with it.

![I'm getting following error page in browser][1]


  [1]: https://i.stack.imgur.com/eC43g.png

Answer 1

The /idp/startSLO.ping endpoint does not support a PartnerSpId query parameter. When you hit that endpoint, you're telling PingFed to start a "single logout" which is intended to log you out of ALL the SPs that PingFed is aware of for the browser session - so the PartnerSpId (used to identify the partner with which you want to SSO with, when using the startSSO endpoint) is unneeded.

From the documentation on that endpoint, it only supports three parameters: TargetResource, InErrorResource, and Binding, all of which are optional.

Answer 2

I got my Issue resolved. follow below URL and its very helpful.

https://ping.force.com/Support/PingIdentityVideoLibrary?id=2415947630001