Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Logout when IdP does not provide SLO failing



SAML SSO with PING as Identity Provider has been configured. PING is not maintaining any user sessions so there is no Single Logout (SLO) URL from Identity provider side.

Pega rule left the optional logout URL as blank as PING is not providing it. User is able to login successfully into PING but  getting exception when trying to logout.

Error Messages

Caused by: Unable to build Logout Request. No value specified for the Single Logout location
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.createLogoutRequest(
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.step2_circum0(
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.perform(
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(
at com.pegarules.generated.activity.ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.step1_circum0(
at com.pegarules.generated.activity.ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.perform(
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(
at com.pegarules.generated.activity.ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.step1_circum0(
at com.pegarules.generated.activity.ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.perform(
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(
... 57 more

Steps to Reproduce

1. Login to Pega using Single Sign-on (SSO) URL with PING as the identity provider.
2. After successful login, click Log Off link.

Root Cause

A defect in Pegasystems’ code or rules.  The code is assuming that SAML logout is providing a SLO.  


To work around the issue switch to Out-of -the-box (OOTB) logoff.  However, the logoff action when using SSO may take users directly back into PRPC. This is because of a Meta Redirect in the Web-Session-Return that when not using SSO simply takes the user back to the PRPC login screen. When using SSO this will trigger the Data-Admin-AuthService login activity to run again and if still logged into a third party SSO application will then trigger authentication and take the user back into PRPC. 

To resolve this simply modify the Meta Redirect from the Web-Session-Return HTML rule. This requires having a custom unauthenticated AccessGroup and RuleSet defined and specified in the system's Data-Admin-Requestor Browser instance. This is required because when Web-Session-Return is run the user is unauthenticated. 

Perform the following local-change: 

1. Save the Code-Security Logoff activity to application specific ruleset and comment out the first step in the activity so that it does not call the Code-Security SAMLSingleLogOff activity.  
2. Save the @baseclass Web-Session-Return HTML to application specific ruleset and remove or replace this line with custom logoff URL.
    <META http-equiv="refresh" content="0;URL=<pega:reference name="$save(servURL)" />">


Published August 23, 2016 - Updated October 8, 2020

Was this useful?

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us