PingFederate Server

Configuring tracking options for logout

You can configure PingFederate to track adapter sessions for logout.

About this task

An adapter session is a logout entry that, if tracked, ensures a logout request is sent to the adapter during single logout (SLO). Then the adapter can remove any session data that it is tracking for the user.

Steps

  1. Go to Authentication → Policies → Sessions.

  2. Optional: Enable SLO for all adapter instances on a per-user basis by selecting the Track Adapter Sessions for Logout check box.

    When this check box is selected, an adapter session is tracked whenever an adapter is invoked during single sign-on (SSO). When this check box is not selected, the tracking of the adapter session depends on other factors, such as whether SLO is enabled on the partner connection involved in the SSO. This check box is not selected by default.

  3. Optional: Add the associated sessions to the revocation list on logout by selecting the Track Revoked Sessions on Logout check box.

    When selected, PingFederate always adds the associated sessions to the session revocation list as users sign off, even if an error occurs to the logout requests. This allows other systems, such as PingAccess, to query the validity of a given session at the Session Revocation API endpoint, /pf-ws/rest/sessionMgmt/revokedSris. This check box is selected by default for new installations.

    If your use cases involve OAuth requests, consider enabling the Check session revocation status option in the applicable Access Token Management instances so that the token validation process takes into account whether a session has been added to the revocation list

    For more information, see Managing session validation settings.

  4. Optional: Change the number of minutes until the revoked sessions are removed from the revocation list for optimal performance by changing the value in the Session Revocation Lifetime field. You can enter an integer between 1 and 43200. The default value is 490 minutes.

    The Session Revocation Lifetime value should match or exceed the idle timeout value, or the maximum session lifetime value, of the authentication sources and the relying parties. For example, the default value of 490 minutes exceeds the global Max Timeout value for authentication sessions by 10 minutes to allow for clock skew among servers.

  5. Click Save.