Use Cases

Enabling SLO for a PingAccess-protected application using PingFederate

Learn how to require a sign off of a PingAccess-protected application with PingFederate acting as token provider.

There are multiple scenarios to sign off a user. As an administrator, you might require one or more sign-off flows because requirements for each application can differ.

This guide provides information for the following use cases:

  • Global single logout (SLO)

  • Per application or partial logout

Each PingAccess sign-off flow is user-initiated, not system-initiated. PingAccess checks if a session is revoked and, if the existing session is found to be revoked, redirects for web. PingAccess doesn’t revoke sessions. It checks the revocation status by sending a GET request to that endpoint.

Components

  • PingAccess 6.3

  • PingFederate 10.3

PingAccess Logout endpoint

PingAccess responds differently depending on whether the sign off is successful or unsuccessful.

  • For successful sign offs:

    1. PingAccess responds to the /pa/oidc/logout.png request with Set-Cookie: PA.ACE_ws=;.

    2. The /pa/oidc/logout.png endpoint clears the ID token from the browser containing the PingAccess cookie.

      Unless you select Use single-logout (SLO) for the token provider, the /pa/oidc/logout.png endpoint clears the cookie only from the requested host/domain, and the cookie might still exist in requests bound for other hosts/domains.

      If you select the Use Single-Logout option when configuring the token provider, the /pa/oidc/logout.png endpoint also sends a logout request to the token provider, which completes a full SLO flow.

  • For unsuccessful sign offs:

    1. PingAccess responds to the same /pa/oidc/logout.png request without clearing the PA.ACE_ws; cookie.

    2. The user is directed back to the PingAccess-protected application page.

    3. If the application reads and finds the PA.ACE_ws; cookie present, it doesn’t redirect to PingFederate for authentication.

PingAccess can only clear the sessions for which the corresponding cookie was sent in the request to the /pa/oidc/logout resource. If PingFederate or the authentication authority can maintain different sessions for each set of apps, you can use SLO to sign off of all sessions in each set. To initiate the end sessions sign off in specific domains, call the /pa/oidc/logout.png endpoint used by SLO.

For more information, see Server-side session management configuration in the PingAccess solutions documentation.

Configuring PingAccess partial logout

Learn how to require termination of a user’s session per application or by a partial logout protected in the PingAccess administrative console.

Before you begin

You must:

Steps

  1. In the PingAccess administrative console:

    1. Go to Settings → Token Provider → Runtime → Show Advanced Settings.

    2. Clear the Use Single-Logout check box.

    Screen capture of the the PingAccess Administrative console. System is selected from the Settings menu. There are Advanced settings for Back Channel Servers, Back Channel Secure, Back Channel Base Path, Skip Hostname Verification, Expected Hostname, Use Proxy, Use Single-Logout. The Use Single Logout checkbox is cleared.
    1. Click Save.

  2. In the PingFederate administrative console:

    1. Go to Authentication → Integration → IdP Adapters → Manage Adapter Instances and then select the relevant IdP adapter instance.

      Result:

      The Create Adapter Instance page opens.

    2. To show the logout related fields, go to the IdP Adapter → Show Advanced Fields.

    3. In the Logout Path field, enter the path with the PingAccess endpoint.

      You can enter any valid path string.

      This value must start with a "/" character. For example, if you enter /mylogoutpath, then the logout path is /ext/mylogoutpath. Don’t use a path already used by another adapter, such as /ext/pickup or /ext/dropoff.

      Use an alphanumeric string to minimize the risk of using an invalid value in this field.

    4. In the Logout Redirect field, enter the URL that PingFederate uses to redirect the user after sign off.

      The default Logout Redirect value is https://<pingaccessServer>:3000/pa/oidc/logout.

    5. For PingFederate to display a page using a template, in the Logout Template field, enter the name of the template file.

    6. In the Logout Path field, enter a path with the PingAccess endpoint.

      The default Logout Path value is <pf_install>/server/default/conf/template/idp.logout.success.page.template.html.

      Screen capture of the administrative console in the Create Adapter Instance configuration page. In the middle of the list, the Logout Path and Logout Redirect fields are highlighted in green with values of /logout and https://pa.pinglab.com:3000/pa/oidc/logout, respectively.
    7. Click Done.

Configuring global single logout

Learn how to revoke global sessions with single logout (SLO) in the PingFederate administrative console.

Before you begin

Make sure the identity provider (IdP) adapters have their Session State set to Globally in PingFederate.

About this task

To revoke global sessions with SLO:

Steps

  1. In the PingFederate administrative console, go to Applications → Integrations → Default URLs → SP Default URLs.

  2. To allow TargetResource as a redirect URI in PingFederate, enter and edit the URL in the Provide The Default URL You Would Like to Send The User to When Single Logout (SLO) Has Succeeded field.

    The TargetResource is the landing page PingFederate directs the user to after logout, for example, http://pf01.pinglab.com:9331/idp/startSLO.ping?TargetResource=://pa01.pinglab.com:3000/PingAccessQuickstart/.

    The TargetResource must be an allowed redirect URI in PingFederate.

  3. Click Save.

Result

PingFederate automatically redirects to the PingAccess logout endpoint pa/oidc/logout.

Configuring PingFederate for PingAccess single logout

Lean how to configure PingFederate for user-initiated PingAccess single logout (SLO) so that PingFederate knows to add the Subresource Integrities (SRIs) to the revocation list if SLO is initiated.

About this task

There are two ways that implement Server-Side Session Management:

  • PingAccess can reject a PingAccess cookie associated with a PingFederate session that has been invalidated as a result of an end-user-driven logout.

  • The end-user can initiate a logout from all PingAccess issued web sessions using a centralized sign off.

PingAccess can only clear the sessions for which the corresponding cookie is sent in the request to the /pa/oidc/logout resource. If PingFederate, as the authentication authority, can maintain different sessions for each set of apps, you can use SLO to sign off of all sessions in each set. Call the /pa/oidc/logout.png endpoint used by SLO to initiate the end sessions sign off in specific domains.

SLO is done by redirecting to the standard SLO location, which is configured in the run.props file. PingAccess does not revoke the user’s session. The user is directed to the pa.oidc.logout.redirectURI URI when they sign off using OpenID Connect and the PingFederate SLO endpoint.

Steps

  1. In the PingFederate administrative console, go to Applications → OAuth → Clients → Client Management, and select the relevant client.

    Result:

    The Client page opens.

  2. To enable PingFederate to add the SRIs to the revocation list if SLO is initiated, in the OpenID Connect section, select the PingAccess Logout Capable check box.

  3. Click Save.

Result

PingFederate uses the logout.png endpoint /pa/oidc/logout.png to initiate a sign off from PingAccess in conjunction with the SLO functionality. This endpoint terminates the PingAccess tokens across domains.