Asynchronous Front-Channel Logout provides OAuth clients the capability to initiate single logout requests to sign off associated SLO-enabled SAML 2.0 or WS-Federation sessions; the Asynchronous Front-Channel Logout endpoint is /idp/startSLO.ping. Optionally, clients can add end-user sessions to a revocation list on logout and query the revocation list through the Back-Channel Session Revocation endpoint.

Tip:

The Asynchronous Front-Channel Logout endpoint is also published in the OpenID Connect metadata at the /.well-known/openid-configuration endpoint. Look for ping_end_session_endpoint in the metadata.

On a per-client basis, PingFederate can be configured to send (via the browser) logout requests to PingAccess and additional requests to other relying parties.

When the PingAccess option is selected, PingFederate sends logout requests (via the browser) to the OpenID Connect logout endpoint on PingAccess (/pa/oidc/logout.png) to sign off other domains previously called by the session. For more information, see OpenID Connect endpoints in the PingAccess documentation.

In addition, when signing off an SLO-enabled SAML 2.0 or WS-Federation session, as the SP-initiated logout request reaches the PingFederate IdP server, the same logout process applies as well. Depending on the enterprise architecture, this could further improve single sign-on and logout use cases.