--- title: Asynchronous Front-Channel Logout description: Asynchronous Front-Channel Logout provides OAuth clients the capability to initiate single logout (SLO) requests to sign off associated SLO-enabled OpenID Connect (OIDC), SAML 2.0, or WS-Federation sessions. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_asynchron_front_channel_logout canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_asynchron_front_channel_logout.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: April 7, 2025 --- # Asynchronous Front-Channel Logout Asynchronous Front-Channel Logout provides OAuth clients the capability to initiate single logout (SLO) requests to sign off associated SLO-enabled OpenID Connect (OIDC), SAML 2.0, or WS-Federation sessions. The Asynchronous Front-Channel Logout endpoint is `/idp/startSLO.ping`. Optionally, clients can add end-user sessions to a revocation list on logout and query the revocation list through the Back-Channel Session Revocation endpoint. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The Asynchronous Front-Channel Logout endpoint is also published in the OIDC metadata at the `/.well-known/openid-configuration` endpoint. Look for `ping_end_session_endpoint` in the metadata. | You can set the logout mode for a client as Ping Front-Channel, OIDC Front-Channel, or OIDC Back-Channel. Learn more in [Configuring OAuth clients](pf_configuring_oauth_clients.html). When you select Ping Front-Channel, PingFederate sends logout requests, using the browser, to PingAccess and additional requests to other relying parties. When you select the PingAccess option, PingFederate sends logout requests, using the browser, to the OIDC logout endpoint on PingAccess(`/pa/oidc/logout.png`) to sign off other domains previously called by the session. For more information, see [OpenID Connect endpoints](https://docs.pingidentity.com/bundle/pingaccess-60/page/whl1564006726549.html) in the PingAccess documentation. When you select OIDC Front-Channel, PingFederate sends logout requests, using the browser, to replying parties' Front-Channel Logout URI. This feature conforms to the [OpenID Connect Front-Channel Logout specification](https://openid.net/specs/openid-connect-frontchannel-1_0.html). When you select OIDC Back-Channel, PingFederate sends a logout token to the client's configured Back-Channel Logout URI. This feature conforms to the [OpenID Connect Back-Channel Logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html). In addition, when signing off an SLO-enabled SAML 2.0 or WS-Federation session, because the service provider (SP)-initiated logout request reaches the PingFederate identity provider (IdP) server, the same logout process applies as well. Depending on the enterprise architecture, this could further improve single sign-on (SSO) and logout use cases.