Pivotal Knowledge Base


How to Change a Service Plan's "Disable Redirect Parameter" to Enable Single SignOut


  • Pivotal Cloud Foundry (PCF) Elastic Runtime 1.12 and earlier
  • UAA 


This article explains steps for changing the Disable Redirect Parameter Configuration for a service plan (a.k.a. UAA Identity Zone). This article provides guidance on how to use the APIs documented for UAA in this document.


On PCF ERT 1.9 and earlier, the default value for this would be “true”, preventing logout redirects, such as for Single Logout, from functioning. Use this document to set the value to “false” to have logout redirect function correctly for identity zones created prior to PCF ERT 1.10.

Starting in PCF ERT 1.10, new identity zones will default to "false" for this value. Once you perform these steps once, you should no longer need to update the identity zone.

This issue is resolved in PCF PAS 2.0 as the disableRedirectParameter is deprecated and no longer takes effect.

1. Obtain the UAA Admin Client Credentials for the ERT tile from Ops Manager.

2. Login to your domain via UAAC

uaac target https://login.example.com

uaac token client get admin

Enter client secret from Ops Manager

3. Use UAAC to retrieve the information for the identity zone you wish to change

  • uaac curl -k /identity-zones/your-zone-id > filename.txt
  • Delete the header info and leave the JSON blob
  • If you need help identifying the zone ID, you can list all identity-zones via `uaac curl -k /identity-zones`. Alternatively, you can find the ID by looking in the URL when editing your plan: https://p-identity.example.com/dashboard/edit_plan/ (id-here, e.g. debb54d4-cd9a-4e6e-b016-56781a4a6edb)

4. Update the logout policy section so that `disableRedirectParameter` is set to false

"links": {
        "logout": {
               "redirectUrl": "/login",
               "redirectParameterName": "redirect",
               "disableRedirectParameter": false,
               "whitelist": null
       "selfService": {
              "selfServiceLinksEnabled": true,
              "signup": "/create_account",
              "passwd": "/forgot_password"

5. Submit a UAAC curl request to update the identity zone with your updated configurations

  • uaac curl -k /identity-zones/your-zone-id -X PUT -H 'Content-Type: application/json' -d '{JSON HERE}'
  • Compact the JSON to avoid issues with line spacing when using a command line, or pass in the file like uaac curl -k /identity-zones/your-zone-id -X PUT -H 'Content-Type: application/json' -d "$(cat filename.txt)"

6. The logout redirect configurations should take effect immediately. Test the logout flow


Powered by Zendesk