Lean how to configure PingFederate for user-initiated PingAccess single logout (SLO) so that PingFederate knows to add the Subresource Integrities (SRIs) to the revocation list if SLO is initiated.
There are two ways that implement Server-Side Session Management:
- PingAccess can reject a PingAccess cookie associated with a PingFederate session that has been invalidated as a result of an end-user-driven logout.
- The end-user can initiate a logout from all PingAccess issued web sessions using a centralized sign off.
PingAccess can only clear the sessions for which the
corresponding cookie is sent in the request to the /pa/oidc/logout
resource. If PingFederate, as the authentication
authority, can maintain different sessions for each set of apps, you can use SLO to
sign off of all sessions in each set. Call the /pa/oidc/logout.png
endpoint used by SLO to initiate the end sessions sign off in specific domains.
SLO is done by redirecting to the standard SLO location, which is configured in the
run.props file. PingAccess does not revoke the user’s session. The
user is directed to the pa.oidc.logout.redirectURI
URI when they
sign off using OpenID Connect and the PingFederate
SLO endpoint.
For more information, see Configuration file reference and OpenID Connect endpoints.
PingFederate uses the logout.png
endpoint
/pa/oidc/logout.png
to initiate a sign off from PingAccess in conjunction with the SLO
functionality. This endpoint terminates the PingAccess tokens across domains.
For more information, see Configuring PingFederate for user-initiated single logout.