The Access Manager SSO solution is available for applications that are coded to Oracle ADF standards and the OPSS SSO Framework. ADF-coded applications that are configured to perform logout with Access Manager, redirect to the /oamsso/logout.html resource.
IAMSuiteAgent intercepts and processes the request, cleans up the session, redirects to the central logout page (done by the OAM Server) and redirects back to the end_url.
See Also:
Securing Applications with Oracle Platform Security Services
Note:
For ADF applications, only one extra configuration step is needed (to configure the OAMSSOProvider for OPSS).
Task overview: Protecting ADF-coded applications with Access Manager
ADF-coded applications refer to either applications that have been fully integrated with ADF or those that simply use ADF Authentication Servlet to integrate with OPSS.
In this case, logout is initiated when an ADF application causes the invocation of the logout URI. The following process overview outlines the Access Manager centralized logout process for applications coded to Oracle ADF standards.
Process overview: Centralized logout for ADF applications with 10g Webgate
An ADF application causes the invocation of the following URI.
/<application context root>/adfAuthentication?logout=true&end_url=<any uri>
The end_url parameter specifies the URI to which the application returns control following logout.
ADF invokes the configured OPSS SSO provider (OAM in this case) and delegates the logout functionality to the configured logout URI by redirecting the request to the logout URI. The end_url value is passed as a query string to the logout URI. For example: /oamsso/logout.html?end_url=<end_uri>.
The logout URI is invoked on the Webgate front-ending the application.
10g Webgate clears the ObSSOCookie for its domain and loads the logout.html script.
If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example:
http://serverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html
Logic in logout.html redirect to the OAM Server. For example:
http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html
The OAM Server executes logout as follows:
Cleans up the session information associated with the user at the server side.
Validates the end_url and sends a page with callback URLs to the user's browser.
Note:
The Logout Callback URL is specified in the expanded (not short) OAM Agent registration, as described in Table 15-3.
From the callback page, a new request is initiated to a specific URI on each Webgate. When this request reaches the specific Webgate in the specific domain, the ObSSOCookie for that domain is cleared.
The user is redirected to the end_url in the logout script. However, if the end_url parameter is not present, an appropriate message is sent by the OAM Server.
The following procedure is similar to configuring logout for 10g Webgates, with specific step for ADF-coded applications. The ADF-coded application must send the end_url value to identify where to redirect the user after logout processing. However, with ADF-coded applications, logout occurs when the application causes the following URI to be invoked:
/<app context root>/adfAuthentication?logout=true&end_url=<any uri>
Note:
The Applcore f/w could facilitate triggering of the above URL and the ADF application could leverage that.
Some steps in this procedure require the WebLogic Scripting Tool (WLST): wlst.sh (Linux) or wlst.cmd (Windows), which you must invoke from the WLST_install_dir.
See Also:
To configure centralized logout for ADF-coded applications
Check with the Administrator to confirm the location of the logout.html script configured with the agent, which you need in following steps.
Configure OPSS for OAM as the SSO provider to update jps-config.xml for the WebLogic administration domain, as follows:
On the computer hosting the Oracle WebLogic Server and the Web application using Oracle ADF security, locate the Oracle JRF WLST script. For example:
cd $ORACLE_HOME/oracle_common/common/bin
Connect to the computer hosting the Oracle WebLogic Server, enter the Administrator ID and password, and the host and port of the WebLogic AdminServer:
wls:/> /connect('admin_ID', 'admin_pw', 'hostname:port'
For example, the Oracle WebLogic Administration Server host could be localhost using port 7001. However, your environment might be different.
Check with the Administrator to confirm the location of the logout.html script configured with the agent.
In Step d, you must use the value provided by the Administrator. Here, logouturi value is the URI of the logout script /logout.html. The value could either begin with "logout." (exceptions are logout.gif and logout.jpg) or it could be any other value configured by the Administrator.
Enter the loginuri for ADF authentication and the logouturi (location of the logout.html script configured with the agent); the host and port are not needed.
wls:/>addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
Here, loginuri=/${app.context}/adfAuthentication; logouturival is the URI of the logout script /logout.html. The logouturl could either begin with "logout" (exceptions are logout.gif and logout.jpg) or it could be any other value configured by the Administrator.
Required: The ADF application must pass the end_url parameter indicating where to redirect the user after logout, as follows:
If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example:
http://serverhost:port/oam/server/logout?end_url=http://serverhost:port/ welcome.html
11g Webgate: Perform steps in "Configuring Centralized Logout for 11g WebGates".
10g Webgate: Perform steps in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers".
See Also:
"Scenario: Identity Propagation with the Access Manager Token" for details about setting up providers for Access Manager Identity Assertion.