| Oracle® Access Manager Access Administration Guide 10g (10.1.4.0.1) Part Number B25990-01 |
|
|
View PDF |
| Oracle® Access Manager Access Administration Guide 10g (10.1.4.0.1) Part Number B25990-01 |
|
|
View PDF |
If you are using form-based authentication, you can automatically log users out of one or more applications by configuring a logout URL that removes session cookies and redirects users to a logout page. You can customize the default logout page, for example, to add a meta tag to redirect to another page after a few seconds.
Note that you must configure a logout link and URL for the Identity System applications and the Policy Manager as well as for any other protected resource. See "Configuring Logout for an Identity System Resource" for details.
The following methods are available for configuring logout:
Provide one Oracle Access Manager-provided logout function: You can configure a single sign-on logout URL and logout page that removes the user's session cookies.
See Configuring a Single Sign-On Logout URL for details.
Multiple logout functions: You can configure different logout URLs and pages for different purposes based on the Oracle Access Manager-provided default.
Third-party program for logging out users: You can define your own logout functionality.
|
Note: If you have multi-domain single sign-on configured, note that the logout URL only logs users out from applications in one domain. To ensure that logout occurs across domains, you may need to consider setting an absolute session timeout value. See "Logout From a Single Domain Single Sign-On Session" for details. |
The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
Oracle provides a logout.html page. This form is located in:
PolicyManager_install_dir/access/oblix/lang/en-us/logout.html
The logout.html form also contains javascript for removing the ObTemC cookie set for the Identity System. However, this page does not by default contain the code to remove the ObSSOCookie. Calling the single sign-on logout URL usually, but does not always remove the ObSSOCookie, so you should manually add this code to logout.html.
The logout.html form also does not remove any cookies set by third-party applications. To ensure that users must re-authenticate, you may need to customize the single sign-on logout.html file to remove these cookies.
You can customize this page or create one or more new custom logout pages.
You can configure one single sign-on logout URL and page that apply to all users and resources. Or, you can create different logout functions for different applications.
Task overview: Configuring and customizing logout
Modify the default logout.html or create a new logout page.
Include the string "logout." (including the ".") in the file name, with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl.
This page must contain Javascript code to remove session cookies and an onLoad event to run the code in the body tag, for example:
<body onLoad="delOblixCookie";>
Place the page in the same relative path on all appropriate Web servers.
For example, if the SSO Logout URL is /public/logout/logout.html, this file must be known to the Web server that contains any page with the logout link.
Protect the logout page with a policy that uses an Anonymous authentication scheme to ensure that anyone can access it.
This is true for the SSO Logout URL and custom URLs. For example, if your SSO Logout URL is /public/logout/logout.html, ensure that this resource is protected at /public, /public/logout or '/public/logout/logout.html.
Ensure that the logout URL is recognized by Oracle Access Manager.
If you configured multiple logout pages, add them to the logoutURLs parameter for the WebGate. See "AccessGate Configuration Parameters" for details.
Configure the SSO Logout URL.
See Configuring a Single Sign-On Logout URL for details. You should also add the SSO Logout URL to the list of URLs in the logoutURLs parameter.
Add a link with the appropriate logout URL on all Web pages where this URL is needed.
