Unless explicitly stated, information in this chapter applies to OAM 11g WebGate Agents using the default embedded credential collector (ECC).
This section provides the following topics:
Access Manager provides centralized logout (also known as global log out) for sessions.
Centralized logout refers to the process of terminating an active session, which means that:
Applications must not provide their own logout page for use in an SSO environment.
Applications must make their logout links configurable with a value that points to the logout URL specified by the WebGate Administrator.
Note:
Oracle strongly recommends that applications use the ADF Authentication servlet, which interfaces with OPSS where a domain-wide configuration parameter can be used to specify the logout URL. This way applications need not be modified or redeployed to change logout configuration.
Unlike partner applications, external applications (Yahoo! Mail, for example), do not delegate authentication to OAM and do not cede logout control to the OAM single sign-on server. It is the user's responsibility to log out of each of these applications.
Table 27-1 describes the circumstances under which centralized logout occurs. When the logout URL is encountered and the cookie is removed (OAMAuthnCookie for 11g Webgates; ObSSOcookie for 10g Webgates). Webgate logs out the user and requires user re-authentication.
Table 27-1 Centralized Logout Circumstances
Circumstance | Description |
---|---|
Explicitly |
The client state is invalidated and the session ends. If a new attempt is made to access the resource, the client must re-authenticate.
|
Implicitly |
When no user activity occurs within the defined session timeout period, the user is logged out automatically and redirected back to the partner with a new session ID and a new prompt for credentials. This occurs if no lower-level authentication is configured for the resource. With Access Manager, the user is not logged out if 10g Webgate simply encounters a logout URL unless the logout.html provides an explicit redirection to the Server logout. The Webgate redirects the user to the Server logout. |
Generally speaking, during centralized logout, the SSO Engine receives a user-session-exists
request and sends out a Session Cleared
response.
When the SSO Engine receives a user-session-exists
request, the Session Management Engine looks up the session and responds with the-session-exists
response. The SSO engine sends a Clear Session
request. The Session management engine clears the token and session context. The SSO engine then sends a Session Cleared
response.
Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application.
Configuring 11g WebGates for logout against OAM Servers requires a Logout Callback URL
(Table 15-3). Centralized logout for 11g agents sets the cookie from loggedout
to empty
and expires OAMAuthnCookie_<host:port>_<random number> to explicitly clear it during logout, (rather than leaving behind an empty or logged out cookie).
The SSO Engine supports the central logout page on the OAM Server and:
Calls back to Logout Callback URL
of 11g Webgates during logout
The WebGate parameter Logout Callback URL
can be configured using a URI format (recommended), without host:port. OAM Server dynamically constructs the full URL based on the host:port in the original request and calls back on it. This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL.
Lands on end_url
(passed in as query parameter) after logout
Several elements in the 11g Webgate registration page enable centralized logout for 11g WebGates. After registration, the ObAccessClient.xml file is populated with the information in Table 27-2.
Table 27-2 Logout Details After Registration (ObAccessClient.xml)
Element | Description |
---|---|
Logout URL 10g and 11g WebGates |
The Logout URL triggers the logout handler, which removes the cookie (ObSSOCookie for 10g Webgates; OAMAuthnCookie for 11g WebGates) and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager.
Default = [] (not set) Note: This is the standard 10g WebGate configuration parameter used to trigger initial logout through a customized local logout page as described in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers". |
Additional Logout for 11g WebGate Only |
For 11g WebGate single sign-off behavior, the following elements and values automate the redirect to a central logout URL, callback URL, and end URL. This replaces 10g WebGate single sign-off only through a customized local logout page. |
Logout Callback URL |
The URL to Default = /oam_logout_success This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL. When the request URL matches the Logout Callback URL, Webgate clear its cookies and streams an image .gif in the response. This is similar to OSSO agent behavior. When Webgate redirects to the server logout page, it records an "end" URL as a query parameter ( Note: In the remote registration template this parameter is named logoutCallbackUrl (Table 15-10). Other Oracle Access Management services support the central logout page on the server. The end_url relies on the target URL query parameter passed from OPSS integrated applications. See Also: "Configuring Centralized Logout for Oracle ADF-Coded Applications". |
Logout Redirect URL |
This parameter is automatically populated after agent registration completes. By default, this is based on the OAM Server host name with a default port of 14200. For example: Default = http://OAMServer_host:14200/oam/server/logout The Logout URL triggers the logout handler, which removes the OAMAuthnCookie_<host:port>_<random number> and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager.
|
Logout Target URL |
The value for this is name for the query parameter that the OPSS applications passes to Webgate during logout. This query parameter specifies the target URL of the landing page after logout. Default: end_url Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.
|