PingFederate Server

Asynchronous Front-Channel Logout

Asynchronous Front-Channel Logout provides OAuth clients the capability to initiate single logout (SLO) requests to sign off associated SLO-enabled SAML 2.0 or WS-Federation sessions.

The Asynchronous Front-Channel Logout endpoint is /idp/startSLO.ping. Optionally, clients can add end-user sessions to a revocation list on logout and query the revocation list through the Back-Channel Session Revocation endpoint.

The Asynchronous Front-Channel Logout endpoint is also published in the OpenID Connect metadata at the /.well-known/openid-configuration endpoint. Look for ping_end_session_endpoint in the metadata.

On a per-client basis, you can configure PingFederate to send logout requests, using the browser, to PingAccess and additional requests to other relying parties.

When you select the PingAccess option, PingFederate sends logout requests, using the browser, to the OpenID Connect logout endpoint on PingAccess(/pa/oidc/logout.png) to sign off other domains previously called by the session. For more information, see OpenID Connect endpoints in the PingAccess documentation.

In addition, when signing off an SLO-enabled SAML 2.0 or WS-Federation session, as the service provider (SP)-initiated logout request reaches the PingFederate identity provider (IdP) server, the same logout process applies as well. Depending on the enterprise architecture, this could further improve single sign-on (SSO) and logout use cases.