You can implement server-side session management in one of two ways.
- PingAccess can reject a PingAccess cookie associated with a PingFederate session that has been invalidated as a result of an end-user driven sign-off.
- The end user can initiate a sign-off from all PingAccess issued web sessions using a centralized sign-off.
The first of these scenarios provides increased scalability and security, ensuring the PingFederate session is terminated and that subsequent session validation requests are rejected. This scenario implies a user sign-off from PingAccess protected resources through the invalidation of the related PingFederate session.
The second scenario provides improved performance and end user experience. When the user explicitly signs off of the PingAccess issued session, all related PingAccess cookies are deleted, ensuring the client is no longer authenticated to resources protected by PingAccess. In this scenario, the user has explicitly signed off from all of those protected services.
You must configure PingAccess only for the first scenario. These options are not mutually exclusive and can be combined to provide comprehensive session management at the server.