Support Article
The logoff screen Image is missing when logging out through SSO
SA-204
Summary
The logout splash screen image shown using a binary file in a Web-Session-Return HTML is not displaying. The image is displayed using any other portal.
Error Messages
Not Applicable
Steps to Reproduce
Not Applicable
Root Cause
A defect or incorrect configuration in the Pega Platform operating environment
The problem is with a piece of JavaScript contained within WEB-SESSION-RETURN:
<script type="text/javascript">
document.execCommand("ClearAuthenticationCache","false");
</script>
This is an Internet Explorer-only method of clearing Session Cookies, but it clears all of them, not just PRPC. You have already logged off from PRPC, and this JavaScript code clears all session cookies from Internet Explorer memory. This is NOT a logoff! So when the HTML document tries to access the image it is redirected by your front-end security software.
Image Request:
GET http://your_host:your_port/prweb/WSSOExtServlet/9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*/images/<IMG>.gif HTTP/1.1
Accept: */*
Referer: http://your_host:your_port/prweb/WSSOExtServlet/9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*/!STANDARD?pyActivity=Code-Security.EndSession&pzAuth=guest
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: your_URL:your_port
Connection: Keep-Alive
Cookie: __utma=208148301.1976038235.1403137470.1403564118.1403566489.7; __utmz=208148301.1403137470.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
This response is NOT from PRPC but from the third-party security software.
HTTP/1.1 302 Found
Date: Tue, 24 Jun 2014 04:04:27 GMT
Server: IBM_HTTP_Server/ip_address Apache/2.0.47 (Unix) DAV/2
Set-Cookie: ObSSOCookie=loggedoutcontinue; path=/; domain=.your_domain;
Location: https://your_host/obrareq.cgi?wh%3your_node%20wu%3D%2Fprweb%2FWSSOExtServlet%2F9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*%2Fimages%2FKPSplashWater.gif%20wo%3D1%20rh%3Dhttp%3A%2F%2Fyour_url.org%3A88%20ru%3D%252Fprweb%252FWSSOExtServlet%252F9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*%252Fimages%252FKPSplashWater.gif
Content-Length: 622
Keep-Alive: timeout=10, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://your_url.org/your_cgi.cgi?wh%3your_node%20wu%3D%2Fprweb%2FWSSOExtServlet%2F9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*%2Fimages%2FKPSplashWater.gif%20wo%3D1%20rh%3Dhttp%3A%2F%2Fyour_url.org%3A88%20ru%3D%252Fprweb%252FWSSOExtServlet%252F9lq_-2ILkjgqdWeo9trotl2HbrY2bQ7w*%252Fimages%252FKPyour_image.gif">here</a>.</p>
<hr />
<address>IBM_HTTP_Server/ip_address Apache/2.0.47 (Unix) DAV/2 Server at your_url.org Port your_port</address>
</body></html>
To get the image to display, you need to copy Web-Session-Return into your application ruleset and remove the following script:
<script type="text/javascript">
document.execCommand("ClearAuthenticationCache","false");
</script>
Note: This has already been removed in newer versions of PRPC.
Because the session cookies for the third-party security software are no longer removed, when you click the Return to Application button, you will NOT get redirected to the third-party security login screen.
Usually with SSO, modifying the Web-Session-Redirect to take the user back to the third party security login screen would be the best approach here. Do this by adding Meta tags or JavaScript into Web-Session-Redirect that redirects them to a "logoff" URL used by the third-party security software.
Resolution
Perform the following local-change:
Use a third-party security software logoff URL when using SSO instead of displaying the default PRPC Web-Session-Redirect HTML.
Published March 7, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.