PingFederate Logout Redirect

Many of the Ping Identarati already know that the HTML Form IdP Adapter has a Logout capability, which is used to clear PingFederate SSO cookies from the browser and redirect a static webpage. We have come across some use cases where the desired the behavior to clear the PingFederate SSO cookies and then redirect dynamically to a desired webpage. This blog will show a simple implementation where a “referrer” query parameter is added that enables the behavior to redirect to a desired webpage after PingFederate SSO cookies are cleared.

The key to the dynamic referrer query parameter solution is extending the logout success velocity template, mainly idp.logout.success.page.template.html. By adding the following JavaScript to the velocity template, the referrer capability will be added. The tag will also be modified to process the referrer upon page loading, mainly modify the tag to be . When the page loading occurs the JavaScript will be processed to look for the referrer value.

  <script>
    function processLogout() {
        var redir = getUrlParameter("redirect");
        if(redir != '') {
            window.location = redir;
        } else {
            document.getElementById("docbody").style.display = "block";
        }
    }
    function getUrlParameter(name) {
        name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');
        var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
        var results = regex.exec(location.search);
        return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
    };
  </script>
  


Once the JavaScript has been added to the velocity template, thetag will need to be modified to process the referrer upon page loading as shown in the code snippet below. A new

tag is also needed for the case when no referrer is provided which is an "id" that the JavaScript will then load as the page content.

 

  <body onload="processLogout()">
    <div class="container" id="docbody" style="display: none;">
  
    </div>
  </body>
  


With this implementation, the logout capability of the HTML Form IdP Adapter will behave in the following way.

    1. If the logoff page is hit with no query parameters (e.g. /https://sso.company.com/ext/logoff) then:
      • PingFederate SSO cookies will be cleared
      • User will land on the "you have been signed out" page
    2. If the logoff page is hit with query parameters (e.g. https://sso.company.com/ext/logoff?referrer=https://www.google.com) then:
      • PingFederate SSO cookies will be cleared
      • User will be redirected to "referrer" URL parameter (NB: needs to be fully qualified with protocol such as HTTP/S). In the example above the redirect will be to: https://www.google.com.

This adds the flexibility to auto-redirect to other locations upon logoff across applications within a federation. If you have any comments or questions, please contact us!

 

Rate this blog entry:
2