TL;DR - recommended URLs

The following URLs will log out of Ping Fed/Ping One and return the user to the mytopcon front page:

• QA: https://qa-token.auth.topcon.com/idp/startSLO.ping
• Prod: https://token.auth.topcon.com/idp/startSLO.ping

This is our recommended and supported method of logging out. We intend to maintain these going forward such that they will log out of our systems. 

If you have more specialied needs, the following notes may be helpful.

Systems to log out of

To create a working logout, there is an assortment of different endpoints/query parameters to contend with, each of which has its own endpoint and name for the page-to-go-to-next:

Client application

• URL depends on app

TRAPI

• https://${trapiHost}/logout?ping=true&redirect={redirect_uri}

PingFed

• https://${pingFedHost}/idp/startSLO.ping?TargetResource={redirect_uri}
• This URL will log out of any adapters (e.g. remove team choice, profile choice)
• If you don't specify the TargetResource, the default behaviour kicks in, which will log out of PingOne and redirect to the MyTopcon home page.

PingOne

• https://${pingOneHost}/as/signoff?post_logout_redirect_uri={redirect_uri}

• This URL is a traditional logout for the user credentials.
• The post_logout_redirect_uri has to match the configured URI exactly - no wildcards. This makes it very brittle to configure, so we would prefer to only allow redirect to MyTopcon or (in the future) the Self-Service Dashboard.

Desires

• logging out of PingFed => logging out of PingOne
  • implemented as default behaviour
• logging out of TRAPI => logging out of PingFed
  • currently implemented
• logging out of TRAPI => logging out of PingOne
  • could investigate but not prioritized at the moment

Current good practice

We wrote the following Javascript code to generate URLs to log out of various systems; usage is 

DEPLOY_ENV="qa" node logout.routes.js trapi pingone

// logout.routes.js
// code for generating logout urls:
const deployEnv = process.env.DEPLOY_ENV || "qa";
const settings = {
    qa: {
        trapiHost  : "api-qa.topcon.com",
        pingFedHost: "qa-token.auth.topcon.com",
        pingOneHost: "qa-id.auth.topcon.com",
        terminals  : {
            ssd:   { url: "https://mytopcon-stg.topconpositioning.com"},
            local: { url: "http://localhost:3434/logout", state:"post"},
            magnet:{ url: "https://core2-beta.magnet-cloud.com/auth/callback-logout"},
        }
    },
    prod: {
        trapiHost  : "api.topcon.com",
        pingFedHost: "token.auth.topcon.com",
        pingOneHost: "id.auth.topcon.com",
        terminals  : {
            ssd: { url: "https://mytopcon.topconpositioning.com"},
        }
    }
}[deployEnv];

prefixes = {
    pingone: `https://${settings.pingOneHost}/as/signoff?post_logout_redirect_uri=`,
    pingfed: `https://${settings.pingFedHost}/idp/startSLO.ping?TargetResource=`,
    trapi: `https://${settings.trapiHost}/logout?ping=true&redirect=`,
}

var urlState = {...settings.terminals.ssd};
process.argv.slice(2).reverse().forEach(x => {
    const term=settings.terminals[x], pref=prefixes[x];
    if (term && term.url) {
        urlState = {...term};
    } else if (pref) {
        urlState = {url: pref + encodeURIComponent(urlState.url) + (urlState.state ? `&state=${urlState.state}` : '') };
    } else {
        console.error(`argument ${x} not understood`);
        process.exit(1);
    }
});
console.log(urlState.url);