SAML 2.0: Local Logout and Close Window

SingleLogout is a SAML feature that is the opposite of Single Sign-on. It essentially allows a user to simultaneously log out of their current application as well as logout of their federated SAML session as well.

In some cases, companies that have implemented SAML 2.0 between ServiceNow and their federation system do not want to enable SingleLogout on their instance.

This can be a handy thing, or it can be a pain, especially if you log out of ServiceNow and then go into another authenticated federated app only to find out that you have to log back into your federation service.

There are several different options for companies that decide not to implement SingleLogout. This post, however, will focus on the following goal:

When the user clicks the Logout button in ServiceNow, it logs the user out of ServiceNow and closes that window.

Implementation

Step 1: Create a UI page that closes the current window

The key part of the HTML here is the following javascript:

1
2
3
4
  <script type="text/javascript">
    window.open('', '_self', '');
    window.close();
  </script>

Step 2: Make the UI Page public

We’ll need to be able to access this page without being authenticated. In order to do this, we browse to the following URL on your instance:

https://myinstance.service-now.com/sys_public_list.do

We create a new record where we set the “Page” field to the same as the name field on our UI Page.

Step 3: Set the SingleLogoutRequest URL to your “Close Window” page

Browse to your SAML 2.0 Properties page and modify the property as seen below:

Result

Now, when the user clicks the “Logout” button, their local session will be terminated and they will then be redirected to the “close_window.do” page and the window/tab will be automatically closed.

0saves
If you enjoyed this post, please consider leaving a comment or following John Andersen on Twitter.

8 Responses to “SAML 2.0: Local Logout and Close Window”

  1. Thanks!!! This is exactly what we’ve been looking for.

  2. Any idea’s why this doesn’t work in FireFox? I’m left with https://myinstance.service-now.com/close.window.do?SAMLRequest=ALongGuidHere

    My window doesn’t close but it leaves a blank window and does successfully log out.

    Works in IE and Safari.

  3. Bas says:

    Hi, thanks for sharing this. However, on this area have an issue, possibly relating to logging out when SAML2.0 is activated. We experience a “nested frame” issue when a SN session is expired while the browser with SN is still open.

    In this particular situation the complete environment loads into the main content frame, resulting in 2 navigation bars and to banner frames.

    We can reproduce this issue by opening 2 browser screens with the SN environment, log out in 1 browser screen and then click on a navigation bar icon in the other browser screen.

    This nested frame issue only occurs on workstations that make use of the domain and username provided by the ADFS.

    Do you have any insights on this?

    Thank you.
    Regards,
    Bas

  4. John Andersen says:

    @Scott, I guess this only works on certain versions of Firefox. I checked the javascript error log on firefox and firefox has a policy where it won’t allow javascript to close a window if the script didn’t open the window.

    In older versions of FF, you could trick the browser into thinking that the script opened the page by issuing the “window.open” command just before the close. Looks like FF didnt’ like that and coded around it.

    I did find out that if you use the following statement:
    netscape.security.PrivilegeManager.enablePrivilege(“UniversalBrowserWrite”);
    Before the “close” that the browser will close but only after poping up a warning message.

    Please update these comments if you find a way around this “security” feature within FF.

  5. John Andersen says:

    @Bas,

    This probably isn’t an ADFS issue. I think the same thing will happen to you if your ServiceNow session were to time out. If you have any flexibility at the IdP, I would recommend you throw frame-busting javascript code on your IdP. This should break you out of the nested framing within the ServiceNow instance.

    Here is some sample frame busting javascript: http://www.john-james-andersen.com/blog/programming/bust-out-of-those-frames.html

  6. Bas says:

    Hi John, thanks for your help. We submitted the request to the IdP, however we expect that the IdP will not implement a custom script. Are there any alternatives on the Service-Now side that you are aware of?

    Regards,
    Bas

  7. John S says:

    I realize this is an old thread, however, it was useful in thinking about how to logout of ServiceNow without using the ADFS singlelogout service. Instead of creating a custom page to logout and close the window, I used the following page:

    https://myinstance.service-now.com/external_logout_complete.do

    This works wonderfully externally and internally in both chrome in firefox. We are seeing something strange, however using Internet Explorer internally. When the logout button is clicked, it first displays a page about a connection error. Then once clicked again, it successfully logs out of the system and redirects to the page I provided.

    Any ideas? I did notice we had the option for “Sign LogoutRequest” turned on so I disabled that, but it is strange that it is only happening internally and on one browser.

  8. John Andersen says:

    @John S: I don’t have much for you. I wonder, is Integrated Windows Authentication leveraged in this situation? If so, only IE supports it, and only within the internal network. Logouts don’t typically work well with Integrated Windows Authentication environments since just being logged into the workstation logs you into the website. Thus, logout really doesn’t make much sense. Thus, my gut feeling is that you are seeing this due to the quirkiness of Integrated Windows Authentication.

Leave a Reply

46 queries. 0.667 seconds