PingAccess responds differently depending on whether the sign off is successful or unsuccessful.
- For successful sign offs:
- PingAccess responds to the
/pa/oidc/logout.png
request withSet-Cookie: PA.ACE_ws=;
. - The
/pa/oidc/logout.png
endpoint clears the ID token from the browser containing the PingAccess cookie.Unless you select Use single-logout (SLO) for the token provider, the
/pa/oidc/logout.png
endpoint clears the cookie only from the requested host/domain, and the cookie might still exist in requests bound for other hosts/domains.Note:If you select the Use Single-Logout option when configuring the token provider, the
/pa/oidc/logout.png
endpoint also sends a logout request to the token provider, which completes a full SLO flow.
- PingAccess responds to the
- For unsuccessful sign offs:
- PingAccess responds to the same
/pa/oidc/logout.png
request without clearing thePA.ACE_ws;
cookie. - The user is directed back to the PingAccess-protected application page.
- If the application reads and finds the
PA.ACE_ws;
cookie present, it doesn't redirect to PingFederate for authentication.
- PingAccess responds to the same
PingAccess can only clear the sessions for which the
corresponding cookie was sent in the request to the /pa/oidc/logout
resource. If PingFederate or the authentication
authority can maintain different sessions for each set of apps, you can use SLO to sign
off of all sessions in each set. To initiate the end sessions sign off in specific
domains, call the /pa/oidc/logout.png
endpoint used by SLO.
For more information, see Server-side session management configuration in the PingAccess solutions documentation.