• For successful sign offs:
    1. PingAccess responds to the /pa/oidc/logout.png request with Set-Cookie: PA.ACE_ws=;.
    2. The /pa/oidc/logout.png endpoint clears the ID token from the browser containing the PingAccess cookie.

      Unless you select Use single-logout (SLO) for the token provider, the /pa/oidc/logout.png endpoint clears the cookie only from the requested host/domain, and the cookie might still exist in requests bound for other hosts/domains.


      If you select the Use Single-Logout option when configuring the token provider, the /pa/oidc/logout.png endpoint also sends a logout request to the token provider, which completes a full SLO flow.

  • For unsuccessful sign offs:
    1. PingAccess responds to the same /pa/oidc/logout.png request without clearing the PA.ACE_ws; cookie.
    2. The user is directed back to the PingAccess-protected application page.
    3. If the application reads and finds the PA.ACE_ws; cookie present, it doesn't redirect to PingFederate for authentication.

PingAccess can only clear the sessions for which the corresponding cookie was sent in the request to the /pa/oidc/logout resource. If PingFederate or the authentication authority can maintain different sessions for each set of apps, you can use SLO to sign off of all sessions in each set. To initiate the end sessions sign off in specific domains, call the /pa/oidc/logout.png endpoint used by SLO.

For more information, see Server-side session management configuration in the PingAccess solutions documentation.