Skip Headers
Oracle® Access Manager Access Administration Guide
10g (

Part Number E12488-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

B Configuring Logout

This appendix explains how to configure logout so that users can be logged out of all applications that they have accessed during a single sign-on session, including third-party applications that are integrated with Oracle Access Manager.

This appendix discusses the following topics:

B.1 About Oracle Access Manager Logout

If you are using form-based authentication, you can automatically log users out of one or more applications by configuring a logout URL that removes session cookies and redirects users to a logout page. You can customize the default logout page, for example, to add a meta tag to redirect to another page after a few seconds.


You must configure a logout link and URL for the Identity System applications and the Policy Manager as well as for any other protected resource. See "Configuring Logout for an Identity System Resource" for details

The following methods are available for configuring logout:


If you have multi-domain single sign-on configured, note that the logout URL only logs users out from applications in one domain. To ensure that logout occurs across domains, you may need to consider setting an absolute session timeout value. See "Logout From a Single Domain Single Sign-On Session" for details.

B.2 How Logout Works

The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."

The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.

Oracle provides a logout.html page. This form is located in:


The logout.html form also contains javascript for removing the ObTemC cookie set for the Identity System. However, this page does not by default contain the code to remove the ObSSOCookie. Calling the single sign-on logout URL usually, but does not always remove the ObSSOCookie, so you should manually add this code to logout.html.

The logout.html form also does not remove any cookies set by third-party applications. To ensure that users must re-authenticate, you may need to customize the single sign-on logout.html file to remove these cookies.

You can customize this page or create one or more new custom logout pages.

B.3 Configuring and Customizing the Logout URL and Page

You can configure one single sign-on logout URL and page that apply to all users and resources. Or, you can create different logout functions for different applications.

Task overview: Configuring and customizing logout

  1. Modify the default logout.html or create a new logout page.

    Include the string "logout." (including the ".") in the file name, with the exceptions of logout.gif and logout.jpg, for example, logout.html or

    This page must contain JavaScript code to remove session cookies and an onLoad event to run the code in the body tag, for example:

    <body onLoad="delOblixCookie";>
  2. Place the page in the same relative path on all appropriate Web servers.

    For example, if the SSO Logout URL is /public/logout/logout.html, this file must be known to the Web server that contains any page with the logout link.

  3. Protect the logout page with a policy that uses an Anonymous authentication scheme to ensure that anyone can access it.

    This is true for the SSO Logout URL and custom URLs. For example, if your SSO Logout URL is /public/logout/logout.html, ensure that this resource is protected at /public, /public/logout or '/public/logout/logout.html.

  4. Ensure that the logout URL is recognized by Oracle Access Manager.

    If you configured multiple logout pages, add them to the logoutURLs parameter for the WebGate. See "AccessGate Configuration Parameters" for details.

  5. Configure the SSO Logout URL.

    See Configuring a Single Sign-On Logout URL for details. You should also add the SSO Logout URL to the list of URLs in the logoutURLs parameter.

  6. Add a link with the appropriate logout URL on all Web pages where this URL is needed.

B.4 Configuring Single Sign-Off for an Integration Between Oracle Access Manager and Another Product

When you configure single sign-on between Oracle Access Manager and another product, logging out of the third-party product does not automatically end an Oracle Access Manager session. For example, if you configure single sign-on between Oracle Access Manager and Oracle's Siebel product, when you log out of Siebel, you are not necessarily logged out of Oracle Access Manager as well.

As described in the previous sections of this appendix, you can configure single sign-off for these scenarios. For single sign-off to work, you must ensure that, minimally, the ObTEMC and ObSSOCookie are deleted.

Oracle Access Manager provides a default logout.html file, as follows:


If you want to modify this file to log the user out of all application sessions that they started during the single sign-on session, you must include a JavaScript function to delete all cookies that Oracle Access Manager and the other applications use. For Oracle Access Manager, you must delete the following cookies when the logout page loads:

For other applications, you would delete the login cookies that they set. For example, if you want to also log the user out of MyApp, and this application sets MYAPP_COOKIE, you would also delete the following cookie:

You may also want to delete cookies that are associated with various servers that are involved in the single sign-on session. The following are examples:

Example B-1 illustrates a logout.html page that contains a JavaScript function named delCookie. This function is called when the logout page is loaded in the user's browser. It deletes all Oracle Access Manager-related cookies.

Example B-1 also performs single sign-off for an application by deleting a cookie named myCustomApp that is set by an application called myCustomApp. The example assumes that the cookie contains login data that is required by myCustomApp. If the cookie exists, the application believes the user is still logged in. In the example, the line in bold would be added to delete the myCustomApp cookie. This ensures a clean logout when the logout page is loaded in the user's browser because all cookies related to the applications are deleted.

If you add a similar JavaScript function to the default logout.html page, ensure that this function deletes any relevant cookies. These are cookies that control the session state of the application. Note that for applications that do not control session state using cookies, you must configure single sign-off using a method appropriate for that application.

Example B-1 Example of Single Sign-Off by Deleting a Cookie Named myCustomApp

<head><link rel="stylesheet" type="text/css" href="style2/coreid.css"></link>
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Description" content="Oracle Access Manager">
<meta name="Robot" content="none">
<meta name="Copyright" content="Copyright &copy; 1996-2006, Oracle. All Rights Reserved.">
<style type="text/css">
.unnamed1 {  font-family: Arial, Helvetica, sans-serif; font-size: 2pt}
<title>Oracle Access Manager</title>
<script language="JavaScript">
        function delCookie(name,path,domain) {
        var today = new Date();
        var deleteDate = new Date(today.getTime() - 48 * 60 * 60 * 1000); // minus 2 days
        var cookie = name + "="
                     + ((path == null) ? "" : "; path=" + path)
                     + ((domain == null) ? "" : "; domain=" + domain)
                     + "; expires=" + deleteDate;
                document.cookie = cookie;
         function delOblixCookie() {
            // set focus to ok button
            var isNetscape = (document.layers);
            if (isNetscape == false || navigator.appVersion.charAt(0) >= 5) {
            for (var i=0; i<document.links.length; i++) {
                  if (document.links[i].href == "javascript:top.close()") {
             delCookie('ObTEMC', '/');
             delCookie('ObSSOCookie', '/');
             // Added myCustomAppCookie deletion
             delCookie('myCustomApp', '/');
             // in case cookieDomain is configured
             // delete same cookie from all subdomains
                   var subdomain;
                   var domain = new String(document.domain);
                   var index = domain.indexOf(".");
                   while (index > 0) {
                          subdomain = domain.substring(index, domain.length);
                          if (subdomain.indexOf(".", 1) > 0) {
                                 delCookie('ObTEMC', '/', subdomain);
                                 delCookie('ObSSOCookie', '/', subdomain);
                          domain = subdomain;
                          index = domain.indexOf(".", 1);
<body bgcolor="#ffffff" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" onload="delOblixCookie();">
<table width="100%" border="0" cellspacing="1" cellpadding="0">
<td rowspan="2" width="10%" bgcolor="#FFFFFF" align="center" valign="middle"> <img src="style2/LOGINoblixlogo.gif"/></td>
<td bgcolor="#0099CC" align="center" valign="middle"><img src="style2/LOGINaccesssystem.gif"/><br/></td>
<td bgcolor="#99CCCC" align="center" valign="middle"><img src="style2/LOGINversion.gif"/></td>
<td align="right" valign="top">
<table border="0" cellspacing="0" cellpadding="0">
<tr align="right" valign="middle">
<a href=""><font class="basictextfonts3" size="2" color="#003366"><b>Oracle Website</b></font></a>
<a href="">
<font class="basictextfonts3" size="2" color="#003366"><b>Online Support</b></font></a>
<td align="center">
<h3>Oracle Access Manager Applications</h3>
<h3>You have been logged out.</h3>
<h3>For security reasons, please close the browser window.</h3></font><a href="javascript:top.close()" onMouseOver="self.status='Close the browser window.'; return true"><img border="0" alt="Close the browser window." src="style2/NAVok.gif"></a></center>
<font class="basictextfonts3" size="1">
Copyright © 1996-2006,Oracle. All rights reserved. US Patent Numbers 6,539,379; 6,675,261; 6,782,379; 6,816,871. Portions copyright © 1991-2003, Compuware Corporation. Includes RSA BSAFE® cryptographic or security protocol software from RSA Security. Copyright © 2003, RSA Security Inc. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates.  Other names may be trademarks of their respective owners.