You need to perform the following tasks to configure centralized logout for 10g WebGate with 11g OAM servers:
The Access Manager centralized logout process occurs when the application is deployed on the Web server for which the protecting 10g WebGate is configured.
Logout is initiated when an application causes the invocation of the logout.html file configured for the OAM agent (in this case, a 10g WebGate).
Here is an overview of the process followed for centralized logout for 10g WebGate with 11g OAM Server.
The application causes invocation of the logout.html file configured for the 10g WebGate.
The application then passes end_url as a query string to logout.html. The end_url parameter could either be a URI or a URL.
For example:
/oamsso/logout.html?end_url=/welcome.html or /oamsso/logout.html?end_url=http://my.site.com/welcome.html
WebGate clears the ObSSOCookie for its domain and loads the logout.html script.
If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example:
http://serverhost:port/oam/server/logout?end_url=http://my.site.com/
welcome.html
Logic in logout.html redirect to the OAM Server. For example:
http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
welcome.html
The OAM Server executes logout as follows:
Cleans up the session information associated with the user at the server side.
Validates the end_url and sends a page with callback URLs to the user's browser.
Note:
The Logout Callback URL is specified in the expanded OAM Agent registration page.
See Creating OAM WebGate Page and Parameters.
You can locate the remote registration template as follows:
See Table 15-3.
From the callback page, a new request is initiated to a specific URI on each WebGate. When this request reaches the specific WebGate in the specific domain, the ObSSOCookie for that domain is cleared.
The user is redirected to the end_url in the logout script. However, if the end_url parameter is not present, an appropriate message is sent by the OAM Server.
See Centralized Logout Script for 10g WebGates with 11g OAM Servers.
With an 10g WebGate, the logout.html script is required for both single- and multiple DNS-domain centralized logout processing. The logout.html activates JavaScripts that perform the actual logout.
Note:
11g WebGates do not use the logout.html script and instead require additional details in their Agent registration configuration.
See Configuring Centralized Logout for 10g WebGate with 11g OAM Servers.
The following example shows the logout.html script that you can use as a template by editing certain lines for your own environment, which are described at the top of the script. For instance, SERVER_LOGOUTURL must be changed. Additional information is provided after the following example:
logout.html Script
<html>
<head>
<script language="javascript" type="text/javascript">
///////////////////////////////////////////////////////////////////////////////
//Before using, you need to change the values of:
//a. "oamserverhost" to point to the host where the OAM Server is running.
//b. "port" to point to the port where the OAM Server is running.
///////////////////////////////////////////////////////////////////////////////
var SERVER_LOGOUTURL = "http://oamserverhost:port/oam/server/logout";
///////////////////////////////////////////////////////////////////////////////
function handleLogout() {
//get protocol used at the server (http/https)
var webServerProtocol = window.location.protocol;
//get server host:port
var webServerHostPort = window.location.host;
//get query string present in this URL
var origQueryString = window.location.search.substring(1);
var newQueryString = "";
//vars to parse the querystring
var params = new Array();
var par = new Array();
var val;
if (origQueryString != null && origQueryString != "") {
params = origQueryString.split("&");
for (var i=0; i<params.length; i++) {
if (i == 0)
newQueryString = "?";
if (i > 0)
newQueryString = newQueryString + "&";
par = params[i].split("=");
//prepare a new query string, if the end_url value needs to be changed
newQueryString = newQueryString + (par[0]);
newQueryString = newQueryString + "=";
val = par[1];
if ("end_url" == par[0]) {
//check if val (value of end_url) begins with "/" or "%2F" (is it an URI?)
if (val.substring(0,1) == "/" || val.substring(0,1) == "%") {
//modify the query string now
val = webServerProtocol + "//" + webServerHostPort + val;
}
}
newQueryString = newQueryString + val;
}
}
//redirect the user to this URL
window.location.href = SERVER_LOGOUTURL + newQueryString;
}
</script>
</head>
<body onLoad="handleLogout();">
</body>
</html>
Here is an overview of the process that is followed in the logout.html script.
Following is the process flow:
Gets the host and port from the incoming request.
Gets the end_url parameter from the query string.
If the end_url parameter is not a URL, then the logout.html script constructs a URL using the host and port from task 1.
Redirects to the OAM Server logout URL (SERVER_LOGOUTURL). For example: http://myoamserver/host:port/oam/server/logout.
Use the end_url constructed in process 2 as the query string.
Preserve all other query string parameters in the query string.
The end_url parameter can be either a URI or an URL.
If the end_url query string is a URI, without host and port, then the logout.html must construct the URL by determining the host and port of the Web Server where logout.html is hosted. For example:
http://myoamserverhost:port/oam/server/logout?end_url=http://my
.site.com/welcome.html
If the end_url parameter is a URL with the host and port, the logout.html script simply passes that on without reconstructing it.
Note:
An ADF application must pass the end_url parameter indicating where to redirect the user after logout.
See Configuring Centralized Logout for Oracle ADF-Coded Applications.
/<app context root>/adfAuthentication?logout=true&end_url=<any uri>
Table 30-5 illustrates how a logout link in the logout.html file might be specified:
Table 30-5 Sample end_url Parameter Specifications
| As a ... | Sample end_url Value |
|---|---|
|
URI |
/oamsso/logout.html?end_url=<someUri>
For example:
/oamsso/logout.html?end_url=/welcome.html
|
|
URL |
/oamsso/logout.html?end_url=<someUrl>
For example:
/oamsso/logout.html?end_url=http://my.site.com/welcome.html
|
You can configure centralized logout for 10g WebGates with Access Manager.
Note:
Optional tasks or those required for only multiple DNS domain logout are identified and can be skipped unless needed.
Securing Applications with Oracle Platform Security Services includes a sample procedure that includes steps for deploying an application in a WebLogic Server domain.
Task overview - Configuring centralized logout for 10g WebGates:
Create a default logout page (logout.html) and make it available on the WebGate installation directory:
Create and edit logout.html for the WebGate based on the logout.html script provided in Centralized Logout Script for 10g WebGates with 11g OAM Servers.
Store your logout.html script in the following directory path:
WebGate_install_dir/oamsso/logout.html
Note:
If the logout.html file is located elsewhere, ensure that the logout link is correctly specified in the agent registration to point to the correct location of the logout.html file.
Proceed with following steps, as needed.
Ensure that the logout.html (from Step 1) redirects the user to this central logout URI, "/oam/server/logout' on the 11g OAM Server.
Optional: Allow the application to pass the end_url parameter indicating where to redirect the user after logout.
Check the Web server file for which the 10g WebGate is configured and perform the appropriate step:
OHS Web server, httpd.conf file: If the following lines exist, delete them:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Other Web servers, configuration file: Add the following line:
Alias /oamsso "WebGateInstallationDirectory/oamsso"