27.2 Introduction to Centralized Logout for Access Manager 11g

Unless explicitly stated, information in this chapter applies to OAM 11g WebGate Agents using the default embedded credential collector (ECC).

This section provides the following topics:

27.2.1 About Centralized Logout for 11g WebGates

Access Manager provides centralized logout (also known as global log out) for sessions.

Centralized logout refers to the process of terminating an active session, which means that:

  • Applications must not provide their own logout page for use in an SSO environment.

  • Applications must make their logout links configurable with a value that points to the logout URL specified by the WebGate Administrator.

Note:

Oracle strongly recommends that applications use the ADF Authentication servlet, which interfaces with OPSS where a domain-wide configuration parameter can be used to specify the logout URL. This way applications need not be modified or redeployed to change logout configuration.

Unlike partner applications, external applications (Yahoo! Mail, for example), do not delegate authentication to OAM and do not cede logout control to the OAM single sign-on server. It is the user's responsibility to log out of each of these applications.

Table 27-1 describes the circumstances under which centralized logout occurs. When the logout URL is encountered and the cookie is removed (OAMAuthnCookie for 11g Webgates; ObSSOcookie for 10g Webgates). Webgate logs out the user and requires user re-authentication.

Table 27-1 Centralized Logout Circumstances

Circumstance Description

Explicitly

The client state is invalidated and the session ends. If a new attempt is made to access the resource, the client must re-authenticate.

  • When the user logs out.

  • When the Administrator terminates the session

  • When the session is terminated based on changes on the identity side

Implicitly

When no user activity occurs within the defined session timeout period, the user is logged out automatically and redirected back to the partner with a new session ID and a new prompt for credentials. This occurs if no lower-level authentication is configured for the resource.

With Access Manager, the user is not logged out if 10g Webgate simply encounters a logout URL unless the logout.html provides an explicit redirection to the Server logout. The Webgate redirects the user to the Server logout.

27.2.2 About Logout Parameters for 11g WebGates

Generally speaking, during centralized logout, the SSO Engine receives a user-session-exists request and sends out a Session Cleared response.

When the SSO Engine receives a user-session-exists request, the Session Management Engine looks up the session and responds with the-session-exists response. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine then sends a Session Cleared response.

Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application.

Configuring 11g WebGates for logout against OAM Servers requires a Logout Callback URL (Table 15-3). Centralized logout for 11g agents sets the cookie from loggedout to empty and expires OAMAuthnCookie_<host:port>_<random number> to explicitly clear it during logout, (rather than leaving behind an empty or logged out cookie).

The SSO Engine supports the central logout page on the OAM Server and:

  • Calls back to Logout Callback URL of 11g Webgates during logout

    The WebGate parameter Logout Callback URL can be configured using a URI format (recommended), without host:port. OAM Server dynamically constructs the full URL based on the host:port in the original request and calls back on it. This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL.

  • Lands on end_url (passed in as query parameter) after logout

Several elements in the 11g Webgate registration page enable centralized logout for 11g WebGates. After registration, the ObAccessClient.xml file is populated with the information in Table 27-2.

Table 27-2 Logout Details After Registration (ObAccessClient.xml)

Element Description

Logout URL

10g and 11g WebGates

The Logout URL triggers the logout handler, which removes the cookie (ObSSOCookie for 10g Webgates; OAMAuthnCookie for 11g WebGates) and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager.

  • If there is a match, the WebGate logout handler is triggered.

  • If Logout URL is not configured the request URL is checked for "logout." and, if found (except "logout.gif" and "logout.jpg"), also triggers the logout handler.

Default = [] (not set)

Note: This is the standard 10g WebGate configuration parameter used to trigger initial logout through a customized local logout page as described in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers".

Additional Logout for 11g WebGate Only

For 11g WebGate single sign-off behavior, the following elements and values automate the redirect to a central logout URL, callback URL, and end URL. This replaces 10g WebGate single sign-off only through a customized local logout page.

Logout Callback URL

The URL to oam_logout_success, which clears cookies during the call back. This can be a URI format without host:port (recommended), where the OAM Server calls back on the host:port of the original resource request. For example:

Default = /oam_logout_success

This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL.

When the request URL matches the Logout Callback URL, Webgate clear its cookies and streams an image .gif in the response. This is similar to OSSO agent behavior.

When Webgate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://host:port/..."), which becomes the landing page that the OAM Server redirects back to after logout.

Note: In the remote registration template this parameter is named logoutCallbackUrl (Table 15-10).

Other Oracle Access Management services support the central logout page on the server. The end_url relies on the target URL query parameter passed from OPSS integrated applications. See Also: "Configuring Centralized Logout for Oracle ADF-Coded Applications".

Logout Redirect URL

This parameter is automatically populated after agent registration completes. By default, this is based on the OAM Server host name with a default port of 14200. For example:

Default = http://OAMServer_host:14200/oam/server/logout

The Logout URL triggers the logout handler, which removes the OAMAuthnCookie_<host:port>_<random number> and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager.

  • When Webgate logout handler is triggered, it redirects to the central logout page specified by the Logout Redirect URL parameter if it is configured.

  • If this is explicitly cleared (and not configured), then 10g behavior is triggered. The local logout page can have a customized script to redirect to the central logout page and can clear additional 3rd party cookies if desired.

Logout Target URL

The value for this is name for the query parameter that the OPSS applications passes to Webgate during logout. This query parameter specifies the target URL of the landing page after logout.

Default: end_url

Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.

  • If Logout Target URL is configured, Webgate searches for the value passed in the logout request's query parameter and passes it as end_url query parameter in the redirect URL to OAM Server.

  • If Logout Target URL is not configured, Webgate searches for the default name "end_url" and passes that end_url query parameter along.