| Oracle® Access Manager Integration Guide 10g (10.1.4.2) Part Number E10356-01 |
|
|
View PDF |
| Oracle® Access Manager Integration Guide 10g (10.1.4.2) Part Number E10356-01 |
|
|
View PDF |
This appendix explains how to configure logout so that users can be logged out of all applications that they have accessed during a single sign-on session, including third-party applications that are integrated with Oracle Access Manager.
This appendix discusses the following topics:
If you use form-based authentication, you can automatically log users out of one or more applications by configuring a logout URL that removes session cookies and redirects users to a logout page. You can customize the default logout page, for example, to add a meta tag to redirect to another page after a few seconds.
Note that you must configure a logout link and URL for the Identity System applications and the Policy Manager as well as for any other protected resource. See the Oracle Access Manager Access System Administration Guide for details.
The following methods are available for configuring logout:
Provide one Oracle Access Manager-provided logout function: You can configure a single sign-on logout URL and logout page that removes the user's session cookies.
See the Oracle Access Manager Access System Administration Guide for details.
Multiple logout functions: You can configure different logout URLs and pages for different purposes based on the Oracle Access Manager-provided default.
Third-party program for logging out users: You can define your own logout functionality.
Note:
If you have multi-domain single sign-on configured, note that the logout URL only logs users out from applications in one domain. To ensure that logout occurs across domains, you may need to consider setting an absolute session timeout value.The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
Oracle provides a logout.html page. This form is located in:
PolicyManager_install_dir/access/oblix/lang/en-us/logout.html
The logout.html form also contains javascript for removing the ObTemC cookie set for the Identity System. However, this page does not by default contain the code to remove the ObSSOCookie. Calling the single sign-on logout URL usually, but does not always remove the ObSSOCookie, so you should manually add this code to logout.html.
The logout.html form also does not remove any cookies set by third-party applications. To ensure that users must re-authenticate, you may need to customize the single sign-on logout.html file to remove these cookies.
You can customize this page or create one or more new custom logout pages.
You can configure one single sign-on logout URL and page that apply to all users and resources. Or, you can create different logout functions for different applications.
Task overview: Configuring and customizing logout
Modify the default logout.html or create a new logout page.
Include the string "logout." (including the ".") in the file name, with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl.
This page must contain Javascript code to remove session cookies and an onLoad event to run the code in the body tag, for example:
<body onLoad="delOblixCookie";>
Place the page in the same relative path on all appropriate Web servers.
For example, if the SSO Logout URL is /public/logout/logout.html, this file must be known to the Web server that contains any page with the logout link.
Protect the logout page with a policy that uses an Anonymous authentication scheme to ensure that anyone can access it.
This is true for the SSO Logout URL and custom URLs. For example, if your SSO Logout URL is /public/logout/logout.html, ensure that this resource is protected at /public, /public/logout or '/public/logout/logout.html.
Ensure that the logout URL is recognized by Oracle Access Manager.
If you configured multiple logout pages, add them to the logoutURLs parameter for the WebGate. See the information on AccessGate configuration in the Oracle Access Manager Access System Administration Guide for details.
Configure the SSO Logout URL.
See the information on configuring a single sign-on logout URL in the Oracle Access Manager Access System Administration Guide for details. You should also add the SSO Logout URL to the list of URLs in the logoutURLs parameter.
Add a link with the appropriate logout URL on all Web pages where this URL is needed.
For third-party products that enable you to configure customized logout URLs, for example, WebSphere and SAP, the third party-product deletes its application-specific cookies, then it redirects the logout page to the Oracle Access Manager logout.html. When the WebGate finds the HTTP request for logout.html, it deletes the ObSSOCookie. For this type of logout, you only need to customize logout URL for the third-party application. You do not need to specify logout URLs in Oracle Access Manager.
However, when you configure single sign-on between Oracle Access Manager and another product, logging out of the third-party product may not automatically end an Oracle Access Manager session. For example, if you configure single sign-on between Oracle Access Manager and Oracle's Siebel product, when you log out of Siebel, you are not necessarily also logged out of Oracle Access Manager.
As described in the previous sections of this appendix, you can configure single sign-off for these scenarios. For single sign-off to work, you must ensure that, minimally, the ObTEMC and ObSSOCookie are deleted.
Oracle Access Manager provides a default logout.html file, as follows:
PolicyManager_install_dir/access/oblix/lang/en-us/logout.html
If you want to modify this file to log the user out of all application sessions that they started during the single sign-on session, you must include a Javascript function to delete all cookies that Oracle Access Manager and the other applications use. For Oracle Access Manager, you must delete the following cookies when the logout page loads:
ObTEMC
ObSSOCookie
For other applications, you would delete the login cookies that they set. For example, if you want to also log the user out of MyApp, and this application sets MYAPP_COOKIE, you would also delete the following cookie:
MYAPP_COOKIE
You may also want to delete cookies that are associated with various servers that are involved in the single sign-on session. The following are examples:
OHS-idm.demo.mycompany.com-7777
OHS-idm.demo.mycompany.com-7778
Example A-1 illustrates a logout.html page that contains a Javascript function named delCookie. This function is called when the logout page is loaded in the user's browser. It deletes all Oracle Access Manager-related cookies.
Example A-1 also performs single sign-off for an application by deleting a cookie named myCustomApp that is set by an application called myCustomApp. The example assumes that the cookie contains login data that is required by myCustomApp. If the cookie exists, the application believes the user is still logged in. In the example, the line in bold would be added to delete the myCustomApp cookie. This ensures a clean logout when the logout page is loaded in the user's browser because all cookies related to the applications are deleted.
If you add a similar Javascript function to the default logout.html page, ensure that this function deletes any relevant cookies. These are cookies that that control the session state of the application. Note that for applications that do not control session state using cookies, you must configure single sign-off using a method appropriate for that application.
Example A-1 Example of Single Sign-Off by Deleting a Cookie Named myCustomApp
<html>
<head><link rel="stylesheet" type="text/css" href="style2/coreid.css"></link>
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Description" content="Oracle Access Manager">
<meta name="Robot" content="none">
<meta name="Copyright" content="Copyright © 1996-2006, Oracle. All Rights Reserved.">
<style type="text/css">
<!--
.unnamed1 { font-family: Arial, Helvetica, sans-serif; font-size: 2pt}
-->
</style>
<title>Oracle Access Manager</title>
<script language="JavaScript">
function delCookie(name,path,domain) {
var today = new Date();
var deleteDate = new Date(today.getTime() - 48 * 60 * 60 * 1000); // minus 2 days
var cookie = name + "="
+ ((path == null) ? "" : "; path=" + path)
+ ((domain == null) ? "" : "; domain=" + domain)
+ "; expires=" + deleteDate;
document.cookie = cookie;
}
function delOblixCookie() {
// set focus to ok button
var isNetscape = (document.layers);
if (isNetscape == false || navigator.appVersion.charAt(0) >= 5) {
for (var i=0; i<document.links.length; i++) {
if (document.links[i].href == "javascript:top.close()") {
document.links[i].focus();
break;
}
}
}
delCookie('ObTEMC', '/');
delCookie('ObSSOCookie', '/');
// Added myCustomAppCookie deletion
delCookie('myCustomApp', '/');
// in case cookieDomain is configured
// delete same cookie from all subdomains
var subdomain;
var domain = new String(document.domain);
var index = domain.indexOf(".");
while (index > 0) {
subdomain = domain.substring(index, domain.length);
if (subdomain.indexOf(".", 1) > 0) {
delCookie('ObTEMC', '/', subdomain);
delCookie('ObSSOCookie', '/', subdomain);
}
domain = subdomain;
index = domain.indexOf(".", 1);
}
}
</script>
</head>
<body bgcolor="#ffffff" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" onload="delOblixCookie();">
<table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td rowspan="2" width="10%" bgcolor="#FFFFFF" align="center" valign="middle"> <img src="style2/LOGINoblixlogo.gif"/></td>
</tr>
<tr>
<td bgcolor="#0099CC" align="center" valign="middle"><img src="style2/LOGINaccesssystem.gif"/><br/></td>
<td bgcolor="#99CCCC" align="center" valign="middle"><img src="style2/LOGINversion.gif"/></td>
</tr>
<tr>
<td> </td>
<td align="right" valign="top">
<table border="0" cellspacing="0" cellpadding="0">
<tr align="right" valign="middle">
<td>
<a href="http://www.oracle.com"><font class="basictextfonts3" size="2" color="#003366"><b>Oracle Website</b></font></a>
|
<a href="http://www.oracle.com/support/contact.html">
<font class="basictextfonts3" size="2" color="#003366"><b>Online Support</b></font></a>
</td>
</tr>
</table>
</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td align="center">
<br/>
<h3>Oracle Access Manager Applications</h3>
<h3>You have been logged out.</h3>
<h3>For security reasons, please close the browser window.</h3></font><a href="javascript:top.close()" onMouseOver="self.status='Close the browser window.'; return true"><img border="0" alt="Close the browser window." src="style2/NAVok.gif"></a></center>
</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td>
<hr/>
<font class="basictextfonts3" size="1">
Copyright © 1996-2006,Oracle. All rights reserved. US Patent Numbers 6,539,379; 6,675,261; 6,782,379; 6,816,871. Portions copyright © 1991-2003, Compuware Corporation. Includes RSA BSAFE® cryptographic or security protocol software from RSA Security. Copyright © 2003, RSA Security Inc. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
</font>
</td>
<td> </td>
</tr>
</table>
</body>
</html>
