Work with signoff actions

Signoff actions

Signoff actions specify the operations required to initiate the PingOne standard signoff flow. The signoff service is called by the flow orchestration service. The following process describes how signoff is executed.

Step 1: The application initiates the OIDC resource-provider initiated logout at the end session endpoint using GET /{environmentId}/as/signoff.

GET /<environmentId>/as/signoff
Cookie: ST=<Session Token>

Step 2: After the OIDC service validates the request, it calls the DELETE /<environmentId>/session endpoint of the flow orchestration service and passes through the Cookie header. The flow orchestration service deletes the session identified by the session cookie and includes a Set-Cookie in the response to expire the session cookie immediately.

DELETE /<environmentId>/session
Cookie: ST=<Token 1>

Set-Cookie: ST=; Path=/<envId>; Secure; HttpOnly; expires=<some date in the past>

Step 3: The OIDC service redirects the browser while passing through the Set-Cookie header after successful logout. Where the browser will be redirected depends on whether the logout request included the post_logout_redirect_uri parameter.

302 Found
Set-Cookie: ST=; Path=/<environmentId>; Secure; HttpOnly; expires=<some date in the past>

If the parameter is not included in the request, the browser is redirected to the Ping hosted signedOut component of the PingOne UI or to the application’s configured URL of a custom UI, passing in the environmentId query parameter.

Initiate signoff

The /{environmentId}/as/signoff endpoint supports the following parameters:

  • id_token_hint

    A required parameter that specifies the ID token passed to the logout endpoint as a hint about the user’s current authenticated session.

  • post_logout_redirect_uri

    An optional parameter that specifies the URL to which the browser is redirected after a logout has been performed.

  • state

    An optional parameter that is used to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri query parameter.

The OIDC service must verify the signature of the ID token specified in the id_token_hint parameter. The application identified by the ID token must exist and cannot be disabled. The user identified by the ID token must be the user identified by the current session.

Note: If a post_logout_redirect_uri parameter is provided, and it does not match one of the postLogoutRedirectUri values of any application in the specified environment, this condition is handled as redirect error.

The following sample shows the /{environmentId}/as/signoff operation to initiate the signoff flow:

curl -X GET \
  '{environmentId}/as/signoff?id_token_hint=<token>&post_logout_redirect_uri=' \
  -H 'Cache-Control: no-cache' \
  -H 'Cookie: <token>'

The flow orchestration service deletes the session identified by the session cookie.