You need to perform the following tasks to configure centralized logout for 10g WebGate with 11g OAM servers:
The Access Manager centralized logout process occurs when the application is deployed on the Web server for which the protecting 10g WebGate is configured.
Logout is initiated when an application causes the invocation of the logout.html file configured for the OAM agent (in this case, a 10g WebGate).
Here is an overview of the process followed for centralized logout for 10g WebGate with 11g OAM Server.
The application causes invocation of the logout.html file configured for the 10g WebGate.
The application then passes
end_url as a query string to logout.html. The end_url parameter could either be a URI or a URL.
/oamsso/logout.html?end_url=/welcome.html or /oamsso/logout.html?end_url=http://my.site.com/welcome.html
WebGate clears the ObSSOCookie for its domain and loads the logout.html script.
end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the
end_url parameter as a URL. For example:
Logic in logout.html redirect to the OAM Server. For example:
The OAM Server executes logout as follows:
Cleans up the session information associated with the user at the server side.
end_url and sends a page with callback URLs to the user's browser.
From the callback page, a new request is initiated to a specific URI on each WebGate. When this request reaches the specific WebGate in the specific domain, the ObSSOCookie for that domain is cleared.
The user is redirected to the
end_url in the logout script. However, if the
end_url parameter is not present, an appropriate message is sent by the OAM Server.
11g WebGates do not use the logout.html script and instead require additional details in their Agent registration configuration.
The following example shows the logout.html script that you can use as a template by editing certain lines for your own environment, which are described at the top of the script. For instance,
SERVER_LOGOUTURL must be changed. Additional information is provided after the following example:
Here is an overview of the process that is followed in the logout.html script.
Following is the process flow:
Gets the host and port from the incoming request.
end_url parameter from the query string.
end_url parameter is not a URL, then the logout.html script constructs a URL using the host and port from task 1.
Redirects to the OAM Server logout URL (SERVER_LOGOUTURL). For example: http://myoamserver/host:port/oam/server/logout.
end_url constructed in process 2 as the query string.
Preserve all other query string parameters in the query string.
end_url parameter can be either a URI or an URL.
end_url query string is a URI, without host and port, then the logout.html must construct the URL by determining the host and port of the Web Server where logout.html is hosted. For example:
end_url parameter is a URL with the host and port, the logout.html script simply passes that on without reconstructing it.
An ADF application must pass the
end_url parameter indicating where to redirect the user after logout.
/<app context root>/adfAuthentication?logout=true&end_url=<any uri>
Table 30-5 illustrates how a logout link in the logout.html file might be specified:
Table 30-5 Sample end_url Parameter Specifications
|As a ...||Sample end_url Value|
You can configure centralized logout for 10g WebGates with Access Manager.
Optional tasks or those required for only multiple DNS domain logout are identified and can be skipped unless needed.
Securing Applications with Oracle Platform Security Services includes a sample procedure that includes steps for deploying an application in a WebLogic Server domain.
Task overview - Configuring centralized logout for 10g WebGates:
Create a default logout page (logout.html) and make it available on the WebGate installation directory:
Create and edit logout.html for the WebGate based on the logout.html script provided in Centralized Logout Script for 10g WebGates with 11g OAM Servers.
Store your logout.html script in the following directory path:
If the logout.html file is located elsewhere, ensure that the logout link is correctly specified in the agent registration to point to the correct location of the logout.html file.
Proceed with following steps, as needed.
Ensure that the logout.html (from Step 1) redirects the user to this central logout URI, "/oam/server/logout' on the 11g OAM Server.
Optional: Allow the application to pass the end_url parameter indicating where to redirect the user after logout.
Check the Web server file for which the 10g WebGate is configured and perform the appropriate step:
OHS Web server, httpd.conf file: If the following lines exist, delete them:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Other Web servers, configuration file: Add the following line:
Alias /oamsso "WebGateInstallationDirectory/oamsso"