Specific endpoints are needed for PingFederate or another token provider to interface with PingAccess using the OpenID Connect (OIDC) protocol.
These endpoints are available on the engine.http.port and
agent.http.port ports defined in the
<PA_HOME>/conf/run.properties
file.
If you selected the Use context root as reserved resource base
path check box on your PingAccess application, this feature creates an
instance of any reserved PingAccess
resources under the application’s context root. As such, the context root of the
application needs to prepend the reserved context application root
(/pa by default) in any file paths that reference it. If
the context root of your application is myApp, the paths to the
OIDC endpoints would look like the following examples:
/myApp/pa/oidc/logout/myApp/pa/oidc/cb/myApp/pa/oidc/JWKS/myApp/pa/oidc/logout.png
/pa/oidc/logout
This endpoint clears the browser cookie containing the PingAccess token. This endpoint enables end users to trigger the removal of their own PingAccess cookie from the browser they are using. The user is redirected to the logged out page. You can modify the template for this page, located at <PA_INSTALL>/conf/template/general.loggedout.page.template.html.
This endpoint does not retain any server-side state to denote log off. Additionally, unless single logout (SLO) is selected for the token provider, this endpoint clears the cookie only from the requested host or domain, and the cookie might still exist in requests bound for other hosts or domains.
If you selected the Use Single-Logout option when configuring the token provider, this endpoint also sends a logout request to the token provider, which completes a full SLO flow.
/pa/oidc/cb
This endpoint, along with the application virtual host, becomes the redirect URI for the token provider configuration on the client.
/pa/oidc/JWKS
This endpoint is used by the token provider's JSON Web Token (JWT) token processor for signature verification. This endpoint must be used in conjunction with the configuration of a JWT token processor instance in the token provider. For more information on configuring a JWT in PingFederate, see the PingFederate documentation.
/pa/oidc/logout.png
This endpoint is used by the token provider to initiate a logout from PingAccess in conjunction with SLO functionality, terminating the PingAccess tokens across domains.