Tuesday, September 04, 2007

A Quasi-dynamic Signout Template

Nested under the WEB-INF/psftdocs directory of your PeopleSoft web server, you will find several HTML templates. Even though the title of this post references the signout template specifically, the concepts outlined in this post are relevant to the other templates as well.

Template Variables

As you browse the delivered templates, you will notice that several templates include JSP/ASP style tags used to insert text into the template. To include additional localized text in the signout.html template, you can add an entry to your language's text.properties file. For example, to include the text Please contact the IT Help Desk for further information in your template, add the following text to the text.properties file.

6000=Please contact the IT Help Desk for further information

To insert that text into your template, add <%=6000%> to your template.

Query String

Since HTML templates are read and parsed by PeopleSoft, we really can't enhance them with dynamic content beyond the functionality built into that parser. Therefore, our ability to inject dynamic content into these templates is somewhat limited. Nevertheless, if we can get additional data into the logout URL as query string parameters, we can access those parameters from the template at "runtime" using JavaScript.

Now the real trick... appending key/value pairs to the logout URL. If you are using PeopleSoft's Enterprise Portal, you can modify the sign out link from the Define Headers component (Portal Administration > Branding > Define Headers). Other alternatives for enhancing the sign out link include modifying the HTML objects that define the header or using JavaScript to modify the href attribute of the Sign out link.

ServletFilter

Using a Servlet Filter like Monkeygrease we can inject valid HTML content (including JavaScript, CSS, HTML, etc) into the PeopleSoft response. If you really want to get dynamic, you can create your own filter to do just about anything (access a database with JDBC, call a web service, etc).

35 comments:

Unknown said...

For our PeopleSoft Portal we have a few <img src="https://..." height="0" width="0"/> tags to call logout procedures in other systems our portal links to. We have added those logout URLs to our text.properties file because we also reference the same links in the exception.html, expire.html and a few others. By including the links in the text.properties files we can maintain those links in one place and this makes it easier when we move between our non-production environments.

Even though PeopleSoft uses numeric codes in the file, it is just a regular java properties file. So at least as of tools 8.46 you can use alpha keys, for example:

FINLOGOUT=https://..../?cmd=logout

Then our template files look like this near the </body> tag:

<img src="<%=FINLOGOUT%>" height="0" width="0"/>

Jim Marion said...

Perfect John!! That is an outstanding example of how to use the text.properties file. Thank you for sharing this tip. I really appreciate it! You are correct, you can use any valid Java properties file key. To avoid naming collisions, I suggest developers add a common prefix to their keys. For example, myUniversityInitials.finlogout=...

By the way, the single signout technique you employ is very critical when using portal or any other scenario where you are using PeopleSoft single signon. For those of you readers that are not familiar with single signoff, you can read more about it in PeopleBooks at Home > PeopleBooks > Enterprise PeopleTools 8.49 PeopleBook: Security Administration > Implementing Single Signon > Configuring PeopleSoft-Only Single Signoff.

Chris Heller said...

It's true that you can't do much with the PeopleSoft delivered logout page in terms of making it more dynamic - the entry in the Web Profile for the logout page needs to point a file on the local file system so that the parsing that you're talking about can take place.

However, you can always set up the logout page to forward elsewhere. That forwarded link can be as dynamic as you want.

Obviously you don't want to count on this from a security standpoint, but it can be handy for usability. We had a recent customer that was doing integration with a non-PeopleSoft portal and wanted the signout page to send the users back into the portal. The redirect in the PeopleSoft signout page works well for that.

Jim Marion said...

Exactly! Thank you for the clarification Chris. In our organization, we actually use the signout template the same way.

hasan said...

Hi Jim
Nice article. Do you know if there is a way to log a user out of their session via peoplecode.
Best
Hasan

hasan said...
This comment has been removed by the author.
Jim Marion said...

@hasan, that is a very good question, and probably good enough to warrant a short blog post! I am not aware of a signout/logout PeopleCode function. I am, however, aware of a couple of ways to log a user out from PeopleCode. My first recommendation is to execute %Response.Redirect(%Request.ContentURI | "?cmd=login") where fscm is the name of your "site." Of course, you could make the URL more flexible by parsing the pieces out of the

As an alternative, if you have anonymous authentication enabled in your web profile, then you can use SwitchUser to switch to the anonymous user. Use this option if you use enterprise portal with a guest signon. The problem with this option is that it doesn't clean up the app server and web server session. It does switch the user to a less privileged user, but keeps a session on the app server. The Redirect, on the other hand, will clean up the app server and web server sessions.

hasan said...

Hi Jim
Thats a great idea! Thanks for the tip.
Best
Hasan

Vikas Bhartiya said...

Hi Jim,
Have you come across a requirement wherein user should get an error/warning message when trying to signout if she has a pending worklist item?

Any idea how to configure this?
thanks,
Vikas

Jim Marion said...

@Vikas, I have not seen that requirement before. The problem that you will have is that there is no sign out event. I am not aware of a hook into the signout process. The template shown here actually appears after the users session is destroyed. I am not aware of a way to securely query a user's worklist after the user is signed out. You could create a web service that returns the count of unworked items and call that from Ajax. The user's ID is available in a cookie. The count of unworked items might be considered safe information to share and not a security risk. If that is the case, then you could display the count of unworked items through Ajax, but it would be after the user signed out.

Jim Marion said...

By the way, if someone knows of a way to capture the signout prior to signout, I would love to hear it...

Actually, you could capture the signout link using JavaScript and display a popup. It isn't foolproof, but it is a start. You could use Ajax and IScripts/Integration Broker to get details of outstanding worklist items. It would prolong the signout process since it would execute the ajax call first.

Vikas Bhartiya said...

Jim,
Thanks for your response. I will surely log back if I come up with something using your ideas.

Best regards,
Vikas

Vikas Bhartiya said...

Jim,
When we have an unsaved component and we click on Sign Out, there is a prompt asking whether we want to continue without saving. How does this event get fired? Can we tweak this process to query psworklist before leaving peoplesoft?
Just a thought!

Thanks,
Vikas

Jim Marion said...

@Vikas, that is another good idea. I wrote about those functions here: Leveraging PeopleSoft's JavaScript Save Warning. Take a look at the JavaScripts inserted into the header and find the one with the save warning.

Rather than modify the page directly, you can use something called Monkey Patching to override the delivered warning message.

Mysha(Hazel) said...

Hi Jim,
I was working on pagelets and AWE based upon your new book :) which is quite helpful. Thanks for releasing this material. I have 2 questions 1. How to create a new template in peoplesoft , until now I have been using default template while registering any component.
2. If i want to create a new pagelet based on PSquery, I also want to hyperlink first field and when user clicks on it it open the component in seperate window showing all the details. It seems quite easy in peoplecode but not sure how to use peoplecode in Pagelets as I am very ver new. Another similar Question is , how to throw a person on a component(without search record) after he logs in (This component just show some details and also Menu and other top things should not be shown (I believe that can be achieved by a template)) . I know I have asked quite many things but I am very very keen to learn these things as project here has some demands like this.


thanks
Prateek

rohan tyagi said...

Is there a way to show different signout page to different users based on their role or any other attribute

Jim Marion said...

@Rohan, by the time PeopleSoft calls the signout template, the user is already signed out, so there wouldn't be any information about the user available to the template.

rohan tyagi said...

Thanks for the reply.
We are using single signon. We can store the information in a cookie at the time user logs in through an external website. Now when the user selects to enter the peoplesoft portal, its authentication details are passed through this cookie.
I want to ask- Is it possible to use this information inside the cookie to pre-decide that this user gonna see xyz page when it clicks sign out.

Jim Marion said...

@Rohan, OK, that makes sense. Yes. The signon.html template contains the HTML, JavaScript, etc that PeopleSoft will send to the browser on logout. What you can do is write JavaScript to evaluate document.cookie, and then do pretty much anything. You can send the user to a different page, show/hide portions of the current page, etc.

Unknown said...

Jim, I have run into an issue with the logout URL. We are accessing the FIN application from the portal and when the page expires, the expired page shows the FIN URL and not staying on the portal URL. I have researched enough to understand where the redirect is happening but in vain. Please help me on how to go about it.

Jim Marion said...

@Sumasini update the portal tab of your FSCM and EMPL nodes to have the psp and psc URL of your Interaction Hub and FSCM system. Do this in both Interaction Hub and FSCM. Restart and clear cache. That should be all there is to it.

Is your New Window link behaving the same way as logout? Is it taking you out of the portal branding and into FSCM?

If it isn't caused by improperly configured nodes, then you may want to file a support case because this may be a bug in your tools version.

Kevin Weaver said...

We have a strange problem in our Portal Production. When the user clicks the "Sign Out" it takes 5 minutes for the server to respond and sign them out. But this only happens when the user has a Pagelet that on their homepage that is from our HCM node? If the user has no pagelets from the HCM node, then it the sign out happens right away, if they have either the Company Directory or Team Calendar pagelets from HCM it takes 5 minutes and a couple of seconds to sign them out? Do you have any thoughts or ideas on this really strange problem?

Thanks Jim!

Jim Marion said...

@Kevin, check your app server logs and file a support ticket. That is unusual behavior and may require a patch to resolve.

Kevin Weaver said...

Thanks Jim. We already have a support ticket with Oracle, but we have not heard from them in two weeks. Thought I would try you and see if you have ever heard of anything like this problem we are having.

Thanks again!

Unknown said...

Hi Jim,

We have a situation where the PS token is getting swapped (via Switch User) at the App server and the original user ends up seeing the data of an anonymous user. PN: There is no specific code to call the SwitchUser command.

Do you know of any reasons behind this automatic switch at the server level and any potential solution to work around it?

thanks,
Raj

Jim Marion said...

@Raj, I do not. You should file an Security Vulnerability support case with global support.

Unknown said...

Hello Jim,

Any idea, how can we make signout page dynamic when we have SSO implemented?
Here is the story:We have single sign on configured.
Currently user go from HR system to ELM system and when user signs out,irrespective of from where user signsout, It lands to HR system login page.

Now, we are bringing an ELM standalone system but only for certain group of users.
Due to single sign on, when i sign out from new ELM system, it redirects me to HR login page.

Is there any way to handle the cookies in such a way, when i signout from ELM, it should redirect to ELM login page??

Thanks

Jim Marion said...

@Unknown, I think cookies or LocalStorage would be your only option. Perhaps you can put someting into LocalStorage from the login template and then test that value from the logout page? If the JavaScript in the logout page detects that you are supposed to be on the ELM login page, use window.location.href = '...' to send to the appropriate ELM page?

Unknown said...

Thank you Jim.

I tried using html but unluckily when i sign out, it redirects me to a blank page and under url it shows error. I tested my javascript online. it works proper and also i tested same code for a peoplesoft page but putting into html area.. it does work fine there but somehow it does not f when i mention this html file under web configuration signout and load it on server.

I am placing my html file code here, you might get a clue which is getting ignored by me.

html start tag
head start tag
script type="text/javascript"
// Get the current URL
var URL = window.location.href;
// Validate whether the URL contains "ELM"
if(URL.indexOf("ELM") != -1)
{
// if true, redirect to...
window.location.href = "ELM Link";
//window.location.reload;
}
else
{
// if false, redirect to...
window.location.href = "HR Link";
//window.location.reload;
}
script end tag
head end tag
html end tag


Thanks,
Deepika

Jim Marion said...

Looks right. Did you open the console to see any error details and so you can drill into the JavaScript line that is throwing an error?

Unknown said...

Hi Jim,

I tried debugging and on network tab, on click of signout.It seems its trying to redirect to the specific URL infinte times. I could not understand why it is going to loop.

In my case, the first condition gets true and it tries to redirect to first link endless times. Hence error out by giving browser message.



Thanks,
Deepika

Jim Marion said...

I am sorry Deepika, there isn't enough information here for me to give you an intelligent response. I would need to see the URL and the redirect, but that would not be wise to share in an open forum.

There are a couple of things that can cause a redirect loop:

#1 Two server-side resources are sending location headers that tell the browser to keep bouncing between the two. This can happen with identity management, where the app says it needs a token cookie and redirects to identity management. The identity management software thinks it is there and send you back to the app. You should be able to see if this is the cause by looking at the response headers and response code

#2 JavaScript in the downloaded document causes the page to continuously reload. This would happen if you land on a page, that page uses window.location.href to go somewhere else, and that somewhere else either happens to be the page you are on or that somewhere else says, "you shouldn't be here yet" and sends you back.

Your JavaScript test is for any URL with ELM in the URL. If you use this on ELM, I suspect there will always be ELM in the URL? If that is the case, is this going to cause the current page to constantly reload itself? What if you test if the current URL is the same as the target URL?

Unknown said...
This comment has been removed by the author.
Unknown said...

Hi Jim,

Thank you for your feedback. Yes i worked on my conditions and issue is solved.

Thanks,
Deepika

pazhanivel said...

Hi Jim

If we use the %Response.Redirect(%Request.ContentURI | "?cmd=logout") ,the signout is happening,but it is not updating the PSACCESSLOG record LOGOUTDTTM field.
Do you have any clue.