27.3 Configuring Centralized Logout for 11g WebGates

This section provides the following topics:

27.3.1 Configuring Centralized Logout for 11g WebGates When the ECC is Used

During 11g Resource WebGate registration or editing, you configure the logout parameters.


If the LogOutUrl parameter is already configured for the 11g WebGate (with a value other than /oamsso/logout.html), then ensure that is also present as part of the LogOutUrl parameter.

To configure centralized logout for 11g WebGates:

  1. Choose your method for registration described in Registering and Managing OAM 11g Agents

  2. When creating or editing an agent registration, include appropriate logout values for your environment (Table 27-2):

    • Logout URL

    • Logout Callback URL

    • Logout Redirect URL

    • Logout Target URL

  3. Finish and save your agent registration, as usual.

  4. Multiple DNS Domains: Perform the following steps if you have multiple DNS domains configured for Access Manager 11g SSO.


    The Logout Callback URL can be unique for each WebGate; however, to construct the Logout Callback URL for each WebGate, it is sufficient for the OAM Server to know the host and port of each WebGate from each domain. The file that the Logout Callback URL points to must differ from the logout.html script in the WebGate installation directory.

    1. Configure the Logout Callback URL as the second value in the logOutUrls parameter on each resource WebGate.

      Logout Callback URL is the location on WebGate that the request must be sent to, for clearing the SSO Cookie in that domain. The Logout Callback URL cannot be logout.html.

    2. Ensure that a file physically exists on each Web server at the Logout Callback URL location (usually, at the same location as logout.html).

      For example, if you configure a file named logout.png in the same location as logout.html, then the Logout Callback URL of logout.png would be:

  5. Perform steps in "Validating Global Sign-On and Centralized Logout".

27.3.2 Configuring Logout When Using Detached Credential Collector-Enabled WebGate

When the DCC receives a logout request from the Agent, the DCC:

  • Decrypts the logout request, if needed

  • Retrieves the end_url, constructs the full URL with the Agent's host:port if needed

  • Clears the DCC cookie (DCCCtxCookie)

  • Sends the logout request across the back channel to terminate the session

  • Logout Callback URLLogout Callback URLsGets a logout page containing links to all visited agent from OAM Sever (which has this information), or get only a list of the visited from OAM Sever to construct a logout page locally, and redirect user to this page on DCC.

  • Returns to the end_url after logout completes

To configure logout for Resource Webgates separate from DCC:

  1. Confirm that the Perl scripts for DCC logout include the actual location of the Perl executable on the Webgate host $WEBGATE_HOME/oamsso-bin/*pl.

  2. Resource Webgate: Modify the Logout Redirect URL to point to DCC's logout.pl:

    1. Find the Resource Webgate Registration: See "WebGate Search Controls".

    2. Modify the Logout Redirect URL to point to the DCC's logout.pl. For example:

      • http://DCCWGhost:port/oamsso-bin/logout.pl


      The DCC ignores the Logout Redirect URL parameter in the Webgate registration page. However, if the Resource Webgate Logout Redirect URL is anything other than logout.*, then that URL must be defined in DCC Logout URLs. See Table 24-3

  3. Perform steps in "Validating Global Sign-On and Centralized Logout".