There are two ways that implement Server-Side Session Management:

  • PingAccess can reject a PingAccess cookie associated with a PingFederate session that has been invalidated as a result of an end-user-driven logout.
  • The end-user can initiate a logout from all PingAccess issued web sessions using a centralized sign off.

PingAccess can only clear the sessions for which the corresponding cookie is sent in the request to the /pa/oidc/logout resource. If PingFederate, as the authentication authority, can maintain different sessions for each set of apps, you can use SLO to sign off of all sessions in each set. Call the /pa/oidc/logout.png endpoint used by SLO to initiate the end sessions sign off in specific domains.

SLO is done by redirecting to the standard SLO location, which is configured in the run.props file. PingAccess does not revoke the user’s session. The user is directed to the pa.oidc.logout.redirectURI URI when they sign off using OpenID Connect and the PingFederate SLO endpoint.

For more information, see Configuration file reference and OpenID Connect endpoints.

  1. In the PingFederate administrative console, go to Applications > OAuth > Clients > Client Management, and select the relevant client.
    The Client page opens.
  2. To enable PingFederate to add the SRIs to the revocation list if SLO is initiated, in the OpenID Connect section, select the PingAccess Logout Capable check box.
  3. Click Save.

PingFederate uses the logout.png endpoint /pa/oidc/logout.png to initiate a sign off from PingAccess in conjunction with the SLO functionality. This endpoint terminates the PingAccess tokens across domains.

For more information, see Configuring PingFederate for user-initiated single logout.