1. PingAccess can reject a PingAccess cookie associated with a PingFederate session that was invalidated because of an end-user driven sign-off.
  2. The end user can use a centralized sign-off to sign off from all PingAccess-issued web sessions simultaneously.

The first of these scenarios provides increased scalability and security, ensuring termination of the PingFederate session and rejection of subsequent session validation requests. This scenario implies a user sign-off from resources protected by PingAccess through invalidation of the related PingFederate session. You must make configuration changes in PingAccess to implement this first scenario.

The second scenario provides improved performance and end user experience. When the user explicitly signs off of the PingAccess-issued session, all related PingAccess cookies are deleted, ensuring that the client is no longer authenticated to resources protected by PingAccess. In this scenario, the user has explicitly signed off from all of those protected services. For this second scenario, the user driven sign-off can go directly to the centralized sign-off provider, or PingAccess can initiate the process with the configured token provider.