Lean how to configure PingFederate for user-initiated PingAccess single logout (SLO) so that PingFederate knows to add the Subresource Integrities (SRIs) to the revocation list if SLO is initiated.
There are two ways that implement Server-Side Session Management:
- PingAccess can reject a PingAccess cookie associated with a PingFederate session that has been invalidated as a result of an end-user-driven logout.
- The end-user can initiate a logout from all PingAccess issued web sessions using a centralized sign off.
PingAccess can only clear the sessions for which the
corresponding cookie is sent in the request to the
resource. If PingFederate, as the authentication
authority, can maintain different sessions for each set of apps, you can use SLO to
sign off of all sessions in each set. Call the
endpoint used by SLO to initiate the end sessions sign off in specific domains.
SLO is done by redirecting to the standard SLO location, which is configured in the
run.props file. PingAccess does not revoke the user’s session. The
user is directed to the
pa.oidc.logout.redirectURI URI when they
sign off using OpenID Connect and the PingFederate
In the PingFederate administrative console, go
to , and select the relevant client.
The Client page opens.
- To enable PingFederate to add the SRIs to the revocation list if SLO is initiated, in the OpenID Connect section, select the PingAccess Logout Capable check box.
- Click Save.
PingFederate uses the
/pa/oidc/logout.png to initiate a sign off from PingAccess in conjunction with the SLO
functionality. This endpoint terminates the PingAccess tokens across domains.
For more information, see Configuring PingFederate for user-initiated single logout.