Specific endpoints are needed for PingFederate or
another token provider to interface with PingAccess
using the
These endpoints are available on the engine.http.port
and
agent.http.port
ports defined in the
<PA_HOME>/conf/run.properties
file.
If you selected the Use context root as reserved
resource base path check box on your PingAccess application, this feature creates an instance of any
reserved PingAccess resources under the application’s
context root. As such, the context root of the application needs to prepend the reserved
context application root (/pa
by default) in any file paths that reference
it.
If the context root of your application is myApp
, the paths to
the OIDC endpoints would be:
/myApp/pa/oidc/logout
/myApp/pa/oidc/cb
/myApp/pa/oidc/JWKS
/myApp/pa/oidc/logout.png
/pa/oidc/logout
The pa/oidc/logout
endpoint clears the browser cookie containing the
PingAccess token. This enables end users to
trigger the removal of their own PingAccess
cookie from the browser that they're using, which redirects them to the logged out
page.
You can modify the logged out page template in the <PA_INSTALL>/conf/template/general.loggedout.page.template.html file.
This endpoint does not retain any server-side state to denote log off.
Additionally, unless
If you selected the Use Single-Logout option when configuring the token provider, this endpoint also sends a logout request to the token provider, which completes a full SLO flow.
/pa/oidc/cb
The /pa/oidc/cb
endpoint, along with the application virtual host,
becomes the redirect
/pa/oidc/JWKS
The /pa/oidc/JWKS
endpoint is used by the token provider's
/pa/oidc/logout.png
The /pa/oidc/logout.png
endpoint is used by the token provider to
initiate a logout from PingAccess in
conjunction with SLO functionality, terminating the PingAccess tokens across domains.