PingFederate Server

Asynchronous Front-Channel Logout

Asynchronous Front-Channel Logout provides OAuth clients the capability to initiate single logout (SLO) requests to sign off associated SLO-enabled OpenID Connect (OIDC), SAML 2.0, or WS-Federation sessions.

The Asynchronous Front-Channel Logout endpoint is /idp/startSLO.ping. Optionally, clients can add end-user sessions to a revocation list on logout and query the revocation list through the Back-Channel Session Revocation endpoint.

The Asynchronous Front-Channel Logout endpoint is also published in the OIDC metadata at the /.well-known/openid-configuration endpoint. Look for ping_end_session_endpoint in the metadata.

You can set the logout mode for a client as Ping Front-Channel or OIDC Back-Channel.

When you select Ping Front-Channel, PingFederate sends logout requests, using the browser, to PingAccess and additional requests to other relying parties.

When you select the PingAccess option, PingFederate sends logout requests, using the browser, to the OIDC logout endpoint on PingAccess(/pa/oidc/logout.png) to sign off other domains previously called by the session. For more information, see OpenID Connect endpoints in the PingAccess documentation.

When you select OIDC Back-Channel, PingFederate sends a logout token to the client’s configured Back-Channel Logout URI. This feature conforms to the OpenID Connect Back-Channel Logout specification.

In addition, when signing off an SLO-enabled SAML 2.0 or WS-Federation session, because the service provider (SP)-initiated logout request reaches the PingFederate identity provider (IdP) server, the same logout process applies as well. Depending on the enterprise architecture, this could further improve single sign-on (SSO) and logout use cases.