59.10 Configuring Single Sign-off for Microsoft SharePoint Server

Manual Logout occurs when the user clicks the Logout button from SharePoint Server. You can configure the SharePoint Server logout URL in Access Manager so that when a user clicks the Logout button from SharePoint Server site, Access Manager logout is also triggered.

Closing the browser window after sign-off is always recommended, for security. Cookie time-out occurs when the overall user session is controlled by ObSSOCookie. Consider the following use-case:

  • FedAuth cookie time-out and ObSSOCookie is still valid: The user won't be challenged again because the ObSSOCookie is present. A new FedAuth cookie is generated (using the same flow described earlier).

  • ObSSOCookie time-out and FedAuth Cookie is still valid: Since each request is intercepted by the WebGate, the user is challenged for credentials again.

Access Manager provides single logout (also known as global or centralized log out) for user sessions. With Access Manager, single logout refers to the process of terminating an active user session.

This topic describes how to configure single sign-off for integration with SharePoint. Single sign-off kills the user session.

59.10.1 Configuring a Custom Logout URL in SharePoint Server

You can configure a custom logout URL in SharePoint Server.

To configure:

  1. From the generated artifacts for WebGate, add logout.html to the SharePoint Server Site
  2. Locate C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\CONTROLTEMPLATES.
  3. In \CONTROLTEMPLATES, change the welcome.ascx by adding the following tag. For example:
    <SharePoint:MenuItemTemplate runat="server" id="ID_OverrideLogout" Text="Custom Logout"       
         Description="My Custom Logout"
       UseShortId="true" />
  4. Click Save.
  5. Protect the two URLs /_layouts/SignOut.aspx and /_layouts/closeConnection.aspx in an Application Domain using Anonymous authentication.
  6. Proceed to Configuring Logout in SharePoint Server With Impersonation.

59.10.2 Configuring Logout in SharePoint Server With Impersonation

You can configure logout in SharePoint server with Impersonation. If you do not have Impersonation configured, this procedure can be skipped.

To configure:

  1. Copy signout.aspx from C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS) to MySignout.aspx in the same path.
  2. In MySignout.aspx, below (<asp:content contentplaceholderid="PlaceHolderAdditionalPageHead" runat="server">) add the following script details:
    <script runat="server">       
    private void Page_Load(object sender, System.EventArgs e){
     Response.Status = "302 Moved Temporarily";
     Response.AddHeader("Location", "/logout.html?end_url=/_layouts/SignOut.aspx");}
  3. Save.
  4. Use this URL _layouts/Mysignout.aspx as custom logout URL for SharePoint Server in the case of Impersonation.
  5. Proceed with "Testing Your Integration".