Starting with PingFederate 10.3, you can revoke a user's
sessions with their authentication sources by submitting a user identifier, such as the
userPrincipalName attribute value.
For example, you have a terminated user, and their user account has been disabled in your directory. However, they still have an authentication session with PingFederate on their device that would allow them to single sign-on (SSO) into applications until that session is no longer valid. You can easily revoke their sessions so that any attempt to do so fails.
This process works both for sessions stored in memory across hosts and for persistent sessions stored in an external database.
PingFederate 10.3 and later.
The following sections call out the configuration options that relate specifically to session revocation by user identifier. The rest of the configuration is left to you.