|Oracle® Access Manager Access Administration Guide
Part Number E12488-01
This appendix explains how to configure logout so that users can be logged out of all applications that they have accessed during a single sign-on session, including third-party applications that are integrated with Oracle Access Manager.
This appendix discusses the following topics:
If you are using form-based authentication, you can automatically log users out of one or more applications by configuring a logout URL that removes session cookies and redirects users to a logout page. You can customize the default logout page, for example, to add a meta tag to redirect to another page after a few seconds.
Note:You must configure a logout link and URL for the Identity System applications and the Policy Manager as well as for any other protected resource. See "Configuring Logout for an Identity System Resource" for details
The following methods are available for configuring logout:
Provide one Oracle Access Manager-provided logout function: You can configure a single sign-on logout URL and logout page that removes the user's session cookies.
See Configuring a Single Sign-On Logout URL for details.
Multiple logout functions: You can configure different logout URLs and pages for different purposes based on the Oracle Access Manager-provided default.
Third-party program for logging out users: You can define your own logout functionality.
Note:If you have multi-domain single sign-on configured, note that the logout URL only logs users out from applications in one domain. To ensure that logout occurs across domains, you may need to consider setting an absolute session timeout value. See "Logout From a Single Domain Single Sign-On Session" for details.
The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
Oracle provides a logout.html page. This form is located in:
The logout.html form also does not remove any cookies set by third-party applications. To ensure that users must re-authenticate, you may need to customize the single sign-on logout.html file to remove these cookies.
You can customize this page or create one or more new custom logout pages.
You can configure one single sign-on logout URL and page that apply to all users and resources. Or, you can create different logout functions for different applications.
Modify the default logout.html or create a new logout page.
Include the string "logout." (including the ".") in the file name, with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl.
Place the page in the same relative path on all appropriate Web servers.
For example, if the SSO Logout URL is /public/logout/logout.html, this file must be known to the Web server that contains any page with the logout link.
Protect the logout page with a policy that uses an Anonymous authentication scheme to ensure that anyone can access it.
This is true for the SSO Logout URL and custom URLs. For example, if your SSO Logout URL is /public/logout/logout.html, ensure that this resource is protected at /public, /public/logout or '/public/logout/logout.html.
Ensure that the logout URL is recognized by Oracle Access Manager.
If you configured multiple logout pages, add them to the logoutURLs parameter for the WebGate. See "AccessGate Configuration Parameters" for details.
Configure the SSO Logout URL.
See Configuring a Single Sign-On Logout URL for details. You should also add the SSO Logout URL to the list of URLs in the logoutURLs parameter.
Add a link with the appropriate logout URL on all Web pages where this URL is needed.
When you configure single sign-on between Oracle Access Manager and another product, logging out of the third-party product does not automatically end an Oracle Access Manager session. For example, if you configure single sign-on between Oracle Access Manager and Oracle's Siebel product, when you log out of Siebel, you are not necessarily logged out of Oracle Access Manager as well.
As described in the previous sections of this appendix, you can configure single sign-off for these scenarios. For single sign-off to work, you must ensure that, minimally, the ObTEMC and ObSSOCookie are deleted.
Oracle Access Manager provides a default logout.html file, as follows:
For other applications, you would delete the login cookies that they set. For example, if you want to also log the user out of MyApp, and this application sets MYAPP_COOKIE, you would also delete the following cookie:
You may also want to delete cookies that are associated with various servers that are involved in the single sign-on session. The following are examples:
delCookie. This function is called when the logout page is loaded in the user's browser. It deletes all Oracle Access Manager-related cookies.
Example B-1 also performs single sign-off for an application by deleting a cookie named myCustomApp that is set by an application called myCustomApp. The example assumes that the cookie contains login data that is required by myCustomApp. If the cookie exists, the application believes the user is still logged in. In the example, the line in bold would be added to delete the myCustomApp cookie. This ensures a clean logout when the logout page is loaded in the user's browser because all cookies related to the applications are deleted.
Example B-1 Example of Single Sign-Off by Deleting a Cookie Named myCustomApp