29.6 Configuring Logout for OSSO Agents with Access Manager 11.1.2

You can configure logout for OSSO Agents with Access Manager 11.1.2.

• About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager

• Removing Custom mod_osso Cookies on Logout

29.6.1 About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager

With OSSO Agents (mod_osso 10g), partner applications also cede logout control to the OAM Server (single sign-on server). When a user logs out of one application, the user is automatically logged out of all other applications.

Note:

No change is needed in the logout URL configuration of existing applications that use the OSSO Agent.

The following processes take place with centralized logout for mod_osso:

1. Clicking Logout in an application takes the user to the page where logout occurs

2. When a user has signed off successfully, each of the applications listed on the centralized logout page has a check mark beside the application name.

3. A broken image beside an application name identifies an unsuccessful logout.

4. Once all of the application names activated in a session have a check mark, you can click Return to go to the application from which you initiated logout.

5. Delete the custom mod_osso agent cookies on logout.

29.6.2 Removing Custom mod_osso Cookies on Logout

The OSSO server cookie includes a list of partner IDs.

Process overview: When a user logs off from one partner application

The following processes take place when a user logs off from one partner application:

1. OSSO server pulls a list of the logout URLs.

2. OSSO server clears its own cookie.

3. OSSO server redirects to a customized JSP page (hosted on the OSSO server), and passes the list of logout URLs in the request.

4. The JSP page loads those logout URLs that contains some image tags of check marks, and as a result of the loading, the cookies for those mod_osso instances are cleared

However, on user logout, some custom cookies set by OAM Server through authentication response settings might not get deleted. However, you can edit oam-config.xml to configure the OAM Server to delete custom cookies set during authentication when a user logs out of OAM. For instance, when integrating with Oracle E-Business Suite, the ORASSO_AUTH_HINT cookie is set by the application and should be included in the CookieNames list (or the UCM cookie, for example).

Syntax (beneath PluginClass" Type=...):

<Setting Name="CookieDelMap" Type="htf:map">
                <Setting Name="CookieNames" Type="xsd:string">COOKIE_NAME</Setting>
</Setting>

The following procedure guides as you edit the CookieDelMap element and add CookieNames as a single value or a comma-separated list of custom cookies to delete when a user logs out. This procedure also explains how to increment the oam-config.xml file version to propagate your change to all managed servers without restarting.

Note:

Work carefully. In general, Oracle recommends that you do not edit the oam-config.xml file. This, however, is a rare exception.

To delete custom mod_ossoe cookies on logout:

1. Back up $DOMAIN_HOME/config/fmwconfig/oam-config.xml.
2. In oam-config.xml, add (or edit) the CookieDelMap element and CookieNames.

   For example:

   <Setting Name="ResponsePluginSetting" Type="htf:map">
     <Setting Name="PluginClass" Type=... </Settings>
     <Setting Name="CookieDelMap" Type="htf:map">
       <Setting Name="CookieNames" Type="xsd:string">ORASSO_AUTH_HINT
       </Setting>
     </Setting>
   </Setting>
   

3. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value (25, here) + 1):

   Example:

   <Setting Name="Version" Type="xsd:integer">
     <Setting xmlns="http://www.w3.org/2001/XMLSchema"
       Name="NGAMConfiguration" Type="htf:map:> 
     <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting>
       <Setting Name="Version" Type="xsd:integer">25</Setting>
   </Setting>      
   

4. Save the file.