diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bc8d4048edb1f307faff1cdba32600faedbd9f26..dba5349fec57c118ffe8f97a2a9cd0322b5a8084 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ variables:
   CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}"
   CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base"
   CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit"
-  GALAXY_VERSION_PYTHON: 24.2.dev4+ornl
-  GALAXY_VERSION_DOCKER: 24.2.dev4.ornl
+  GALAXY_VERSION_PYTHON: 24.2.dev5+ornl
+  GALAXY_VERSION_DOCKER: 24.2.dev5.ornl
 
 # This import is for the func_rse_docker_* functions
 before_script:
diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
index d8fd3a6f5ff20d9293a0b885e6f78219eb5965f4..2a9a45789bd332c70d06b274dedc43219b655ce1 100644
--- a/lib/galaxy/authnz/custos_authnz.py
+++ b/lib/galaxy/authnz/custos_authnz.py
@@ -590,7 +590,6 @@ class OIDCAuthnzBase(IdentityProvider):
 
         custos_authnz_token = self._get_custos_authnz_token(sa_session, user_id, self.config.provider)
         user = custos_authnz_token.user if custos_authnz_token else None
-        self.refresh(sa_session, custos_authnz_token, 90)
         return user, decoded_jwt
 
 
diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py
index 70451874d32b8900be3659b137e40640f07409c3..d8bb7fac16e93bde7e3139de8dad4dd740441505 100644
--- a/lib/galaxy/authnz/psa_authnz.py
+++ b/lib/galaxy/authnz/psa_authnz.py
@@ -329,7 +329,6 @@ class PSAAuthnz(IdentityProvider):
         user_id = decoded_jwt["unique_name"]
         authnz_token = self._get_authnz_token(sa_session, user_id, self.config["provider"])
         user = authnz_token.user if authnz_token else None
-        self.refresh(sa_session, authnz_token, 90)
         return user, decoded_jwt
 
     @staticmethod
diff --git a/lib/galaxy/config/schemas/config_schema.yml b/lib/galaxy/config/schemas/config_schema.yml
index a6dbbd35a678347c6abd3d2fc2b0fe71746970cd..f1e4016e686a77fae555e55509cf55c3ad47162a 100644
--- a/lib/galaxy/config/schemas/config_schema.yml
+++ b/lib/galaxy/config/schemas/config_schema.yml
@@ -4168,3 +4168,11 @@ mapping:
           Number of seconds before file source content listings are refreshed. Shorter times will result in more
           queries while browsing a file sources. Longer times will result in fewer requests to file sources but
           outdated contents might be displayed to the user. Currently only affects s3fs file sources.
+
+      external_login_redirect_cookie:
+        type: str
+        default: "galaxy-external-login-redirect"
+        required: false
+        desc: |
+          The name of a cookie to check after Galaxy has been logged into via an external third party. If present, Galaxy
+          will redirect to the url contained in the cookie.
\ No newline at end of file
diff --git a/lib/galaxy/managers/configuration.py b/lib/galaxy/managers/configuration.py
index 68f312a3dfb536a21e608f24bbffb5cde2e4c2d8..71060fae8a6a85f32ece9ae587f811c891a58676 100644
--- a/lib/galaxy/managers/configuration.py
+++ b/lib/galaxy/managers/configuration.py
@@ -233,6 +233,7 @@ class ConfigSerializer(base.ModelSerializer):
             "enable_help_forum_tool_panel_integration": _use_config,
             "disable_batch_input": _use_config,
             "llm_api_configured": lambda item, key, **context: bool(item.openai_api_key),
+            "external_login_redirect_cookie": _defaults_to("galaxy-external-login-redirect")
         }
 
 
diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py
index 32a7ce5813a93c8e8ea3f543073cff4d108da762..a0c0274729846b2bb9c77a92e02d683e9d2b346a 100644
--- a/lib/galaxy/webapps/galaxy/controllers/authnz.py
+++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py
@@ -77,7 +77,7 @@ class OIDC(JSAppLauncher):
 
     @web.json
     @web.expose
-    def login(self, trans, provider, idphint=None, next=None):
+    def login(self, trans, provider, idphint=None, next=None, external_redirect=None):
         if not trans.app.config.enable_oidc:
             msg = "Login to Galaxy using third-party identities is not enabled on this Galaxy instance."
             log.debug(msg)
@@ -91,6 +91,10 @@ class OIDC(JSAppLauncher):
             trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
         success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint)
         if success:
+            if external_redirect:
+                trans.set_cookie(value=external_redirect, name=trans.app.config.external_login_redirect_cookie)
+                return trans.response.send_redirect(url_for(redirect_uri))
+
             return {"redirect_uri": redirect_uri}
         else:
             raise exceptions.AuthenticationFailed(message)
@@ -149,6 +153,11 @@ class OIDC(JSAppLauncher):
         trans.set_cookie(value=provider, name=PROVIDER_COOKIE_NAME)
         # Clear the login next cookie back to default.
         trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
+
+        external_login = trans.get_cookie(trans.app.config.external_login_redirect_cookie)
+        if external_login and (external_login.find("https://") == 0 or external_login.find("http://") == 0):
+            trans.set_cookie(value="", name=trans.app.config.external_login_redirect_cookie)
+            return trans.response.send_redirect(url_for(external_login))
         return trans.response.send_redirect(url_for(redirect_url))
 
     @web.expose