When I use WS-Federation protocol and logout from my application (Service Provider) with endpoint http://pingserver.com:Port/idp/prp.wsf?wa=wsignout1.0 , I get redirected to IdP logout template provided by Ping.
But when I use SAML protocol and logout from my application (Service Provider) with endpoint http://pingserver.com:Port/idp/SLO.saml2?SAMLRequest= , I get redirected to SP logout page.
I am using same IdP Adapter on Ping side, then why different behavior. Shouldn't Ping handle the last action in same way?
The reason lies in differences between the standards.
As per WS-Federation standard (chapter 13.2.4.1), the endpoint should support parameter wreply with the following behavior:
This OPTIONAL parameter specifies the URL to return to once clean-up (sign-out) is complete. If this parameter is not specified, then after cleanup the GET completes by returning any realm-specific data such as a string indicating cleanup is complete for the realm.
And therefore when not specified, Ping is supplying a default logout page (sourceid-wsfed-idp-signout-cleanuptemplate.html) which can be customized.
SAML 2.0 explicitly defines that in SP-initialized SLO user gets redirected back to SP with a SingleLogout message, so Ping follows that.