Managing Global Logout Access
The Administration UI as well as the Student/Parent Self-Service (Portal) have been enhanced to include an option to force a global logout when your students, guests and admin users logout.
- When enabled, upon logging out of SFA application, SFA will send the logout request to your identity provider which will enable that request to be sent to other applications or services where the user has an active session.
- If you are integrating with OCI IAM and an external identity provider is configured and applicable to the user, OCI IAM will send the request to your IDP.
- Global Logout can be applied to a user via a new Permission
- Within the Administration UI the new permission is titled "Enable Global Logout"
- Within the Student/Parent Self-Service (Portal) the new permission is titled "Logout Globally"
- By default, local logout is enabled within Administration UI as well as the Student/Parent Self-Service (Portal).
Allows you to improve security by terminating all active user sessions during logout to reduce the risk of sensitive data being shared unknowingly.
Here's the demo of these capabilities:
Steps to Enable
Use the Opt In UI to enable this feature. For instructions, refer to the Optional Uptake of New Features section of this document.
Offering: Student Financial Aid
- This feature can be enabled once you have opted into the "OCI Identity and Access Management Integration" feature and updated your Oracle Student Financial Aid environment to either "Hybrid" or "Migrated" modes.
- Within the Administration UI, a user with "Administration" and the "Roles Permissions Management" permissions can access the Roles Management UI to opt into the feature
- Assign the "Enable Global Logout" Permission to a new or existing Role you wish to enable the global logout for
- Within the Student/Parent Self-Service (Portal), a user with the "Manage Self-Service Permissions" permission can access the Settings UI to opt into the feature
- Assign the "Logout Globally" Permission to a new or existing Role you wish to enable the global logout for
- If you are creating a new Role and you are integrating with OCI IAM,
- Assign an OCI IAM Group to the Role
- Assign the user to the OCI IAM Group
- Otherwise, assign the applicable users directly to the Role
- Users associated to the new Permission will need to logout and log in back in for the changes to take effect
Tips And Considerations
Logout buttons ("SIGN OUT" on Self-Service (Portal) and "Log Out" on Administration UI) will not change in appearance, however the functionality changes depending on what permissions have been assigned to the role that the user is associated to.
Key Resources
See:
- Idea 617646 for associated customer ideas.
- How do I assign global or local logout permissions?