For logging users out, you should disable log out from Self Service by hiding the link.

Otherwise, you need to make sure that the logout action from Self Service logs out the user from your single sign-on scheme.

To do this, you need to subclass atg.userprofiling.ProfileFormHandler, and in that class, override ProfileFormHandler.postLogoutUser(DynamoHttpServletRequest,
DynamoHttpServletResponse), making sure to call super.postLogoutUser(request, response) in the last line of that function.

Then override the Nucleus configuration for ProfileFormHandler to point at your subclass by creating a file in <ATG10dir>/localconfig/atg/userprofiling/ProfileFormHandler.properties that contains one line:

$class=com.acme.MyProfileFormHandler

Set com.acme.MyProfileFormHandler to the name of your subclass of ProfileFormHandler.

The postLogoutUser method will be called after the logout button is clicked in Self Service. Therefore, whichever code logs a user out of your single sign-on scheme is the code that should be invoked by the postLogoutUser method.