SiteMinder Logout


When the API Gateway authenticates to CA SiteMinder on behalf of a user, SiteMinder can issue a single sign-on token as evidence of the authentication event. The token is eventually returned to the client, which can then use it in subsequent requests to the API Gateway.

Instead of authenticating the client against SiteMinder for every request, the API Gateway need only validate the token. If the token validates, the client can be considered authenticated. If the token does not validate, the client is not considered authenticated.

You can use the SiteMinder Logout filter to invalidate a single sign-on token that was previously issued by SiteMinder. When the token has been invalidated, the client is no longer be considered authenticated.

[Note] Note

You must have already validated the session before calling the SiteMinder Logout filter in your policy. For more details, see the SiteMinder Session Validation topic.


Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

API Gateway

To add third-party binaries to the API Gateway, you must perform the following steps:

  1. Add the binary files as follows:

    • Add .jar files to the install-dir/apigateway/ext/lib directory.

    • Add .dll files to the install-dir\apigateway\Win32\lib directory.

    • Add .so files to the install-dir/apigateway/platform/lib directory.

  2. Restart the API Gateway.

Policy Studio

To add third-party binaries to Policy Studio, you must perform the following steps:

  1. Select Windows -> Preferences -> Runtime Dependencies in the Policy Studio main menu.

  2. Click Add to select a JAR file to add to the list of dependencies.

  3. Click Apply when finished. A copy of the JAR file is added to the plugins directory in your Policy Studio installation.

  4. Click OK.

  5. Restart Policy Studio.


Enter a name for the filter in the Name field of the SiteMinder Logout screen.