PingOne Platform APIs

IdP Signoff

GET {{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}

Use GET {{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}} to initiate user logout from the IdP associated with the user. The application for which the id_token_hint value was issued must exist, must not be disabled, and must have its idpSignoff property set to true (refer to Applications OIDC settings data model).

The request URL requires the id_token_hint parameter. This value is the ID token passed to the logout endpoint as a hint about the user’s current authenticated session. Refer to Get an ID Token in our Workflow Library for instructions to get an ID token.

The id_token_hint value is validated as follows:

  • It must be signed by an application identified in the aud claim.

  • If the client_id query parameter is specified, it must match the aud claim.

  • The iss claim must match the authorization server URL used for the /idpSignoff request:

    • If a custom domain is used (the URL is https://<custom domain>/as/idpSignoff), the iss claim must be https://<custom domain>/as.

    • The region specified in the URL (tld/{envId}/as/idpSignoff), must be https://auth.pingone.[tld]/{envID}/as in the iss claim.

The id_token_hint value can be used even if it has expired.

The response returned depends upon these settings:

  • If you specify the post_logout_redirect_uri query parameter, PingOne returns a 302 HTTP code with a Location header that contains the post_logout_redirect_uri value. This post_logout_redirect_uri must match (case-sensitive) a URI that has already been registered with the application.

  • If you do not specify the post_logout_redirect_uri query parameter, PingOne returns a response that depends on the request’s Accept header:

    • When Accept: application/json is specified, PingOne returns a 204 HTTP code without a response body.

    • For all other Accept header assignments, PingOne returns a 302 HTTP code with a Location header that contains the environment’s sign-on URL (either https://auth.pingone.[tld]/{envID}/as/signon or https://<custom domain>/as/signon) with #signOff appended.

For more information about PingOne SSO sessions and sign off, refer to OIDC session management.

Query parameters

Refer to OpenID Connect/OAuth 2 for complete property descriptions.

Parameter Type Required?

client_id

String

Optional

id_token_hint

String

Required

post_logout_redirect_uri

String

Optional

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}'
var options = new RestClientOptions("{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Get);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "net/http"
  "io"
)

func main() {

  url := "{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}"
  method := "GET"

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, nil)

  if err != nil {
    fmt.Println(err)
    return
  }
  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
GET /{{envID}}/as/idpSignoff?id_token_hint={{idToken}} HTTP/1.1
Host: {{authPath}}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
  .url("{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}")
  .method("GET", body)
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}",
  "method": "GET",
  "timeout": 0,
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'GET',
  'url': '{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}',
  'headers': {
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests

url = "{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}"

payload = {}
headers = {

}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(

));
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "net/http"

url = URI("{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Get.new(url)

response = http.request(request)
puts response.read_body
var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/idpSignoff?id_token_hint={{idToken}}")!,timeoutInterval: Double.infinity)
request.httpMethod = "GET"

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

302 Moved Temporarily