Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Update the Logout Flow of an Enterprise Application using App Gateway

Introduction

As organizations modernize their identity infrastructure and adopt Single Sign-On (SSO) to streamline access across cloud and on-premises applications, much attention is placed on the login experience. But there is another, often overlooked aspect that plays a critical role in both security and user satisfaction: the logout flow.

For applications protected by App Gateway, particularly the Enterprise Applications like Oracle’s PeopleSoft applications and Oracle’s JD Edwards EnterpriseOne that use header-based authentication, the default behaviour upon logout can feel unintuitive. When a user signs out and attempts to log back in using the same browser tab, they are redirected to the Oracle Cloud Infrastructure (OCI) Console instead of being returned to the application. This break in flow can cause confusion, disrupt workflows, and reduce confidence in the system’s reliability.

Standard documentation covers SSO configuration, but it’s also crucial to consider the complete user experience, including the logout flow.

A logout experience that has not been fully optimized can lead to:

• Users not being fully signed out from all active sessions (both at the identity provider and application level).

• Confusion caused by phantom sessions persisting in legacy systems.

• Unintuitive redirects, such as being sent to the OCI Console instead of back to the original application.

• Missed opportunities to provide a custom-branded, seamless post-logout experience.

• Security risks from sessions left open or inconsistently terminated.

Refining the logout behaviour is essential to delivering a polished, consistent, and secure SSO journey, especially in hybrid environments that combine cloud-native apps with legacy systems.

This tutorial focuses on improving the logout flow. For initial setup, see:

• Configure seamless authentication for PeopleSoft applications using OCI IAM Identity Domains.

• JD Edwards EnterpriseOne Single Sign-On Using Identity and Access Management with Microsoft Entra ID

In this tutorial, we revisit a subtle yet impactful configuration that can significantly improve the end-user experience when using SSO with App Gateway. Also, we will go beyond the standard SSO setup and explore the configuration options to craft a smoother, more consistent SSO experience for your enterprise application users.

How App Gateway Logout Works

Users can logout from the applications protected by App Gateway using two different mechanisms; Using App Gateway Logout URL and Using Resource Protected by Logout Authentication Method. For more information, see App Gateway Logout URL or by calling an resource protected by a logout authentication method.

• Use App Gateway Logout URL:

  This logout endpoint supports the following optional parameters, which help tailor the user’s post-logout journey:

  • postlogouturl: Use this parameter to define a custom landing page after logout. The URL must be URL-encoded. If not provided, App Gateway will fall back to the default logout redirect URL configured in your Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) session settings.

  • state: An optional parameter that can be passed from the enterprise application to retain contextual information or manage post-logout behaviour. This is particularly useful for applications needing to track session transitions or redirect users intelligently after logout.

• Use Resource Protected by Logout Authentication Method:

  You can enhance the logout flow of your enterprise application by creating a dedicated resource and applying an authentication policy configured with the Forms + Logout authentication method. When a user accesses this specially protected resource, App Gateway automatically triggers the logout process, logging the user out of the SSO session managed by OCI IAM Identity Domain.

  This approach allows you to seamlessly integrate logout functionality into the application’s navigation or user interface—ensuring a smooth and secure transition out of the session, without relying on external redirect URLs or manual token invalidation.

  Let us now see how these settings works for different enterprise applications to enhance the overall SSO experience for your end users.

Objectives

• Optimize App Gateway logout configurations for a seamless SSO experience.

  • Understand how App Gateway logout works.

    • Use App Gateway Logout URL best suited for JD Edwards EnterpriseOne.

    • Use Resource Protected by Logout Authentication Method best suited for PeopleSoft.

    • Customize the logout behaviour for applications protected by App Gateway.

    • Redirect users back to the application post-logout.

    • Improve session handling between legacy systems and modern identity providers.

Prerequisites

• Access to an OCI tenancy.

• Identity domain of type Oracle Apps Premium and an admin account on it.

• A PeopleSoft and JD Edwards EnterpriseOne SSO enabled instance with a valid SSL certificate.

• A user with SSO access to PeopleSoft and JD Edwards EnterpriseOne and the required privileges.

Task 1: Configure Logout from the App Gateway Protected Application

Option 1: Use App Gateway Logout URL to Enhance SSO Experience for JD Edwards EnterpriseOne

In this option, we are focusing on updating the App Gateway logout setting on JD Edwards EnterpriseOne.

1. Login to the JD Edwards EnterpriseOne Server Manager Console.

   

2. Navigate to Select Instance… and select EnterpriseOne HTML Server.

   

3. Navigate to Configuration, select Advanced as View and click Security.

   

4. Select Enable Oracle Access Manager and update Oracle Access Manager Sign-off URL in the following format:

   http(s)://<appgateway_host>:<appgateway_port>/cloudgate/logout.html?postlogouturl=<url_encoded>&state=<state_value>
   

   

5. Click Apply to save the configuration.

6. Click Stop and Start the JAS Server to restart the JD Edwards EnterpriseOne Server.

7. Restart the App Gateway and test the logout flow.

Option 2: Use Resource Protected by Logout Authentication Method to Enhance SSO Experience for PeopleSoft

In this option, we are focusing on Resource Protected by Logout Authentication Method to enhance SSO experience for PeopleSoft. For more information to configure PeopleSoft SSO using App Gateway, see Configure seamless authentication for PeopleSoft applications using OCI IAM Identity Domains.

Note: We assume that you have successfully configured PeopleSoft with OCI IAM for SSO using App Gateway. This section is dedicated for adding logout configurations only.

1. Go to the Enterprise Application for PeopleSoft instance configured during SSO setup.

   Navigate to Identity and Security, Domains, select your domain, click Integrated applications and select your Enterprise application for PeopleSoft.

   

   

   Note: The name of your Enterprise Application for PeopleSoft may vary, it will be the name with which you have created it during the time of SSO setup for PeopleSoft.

2. Click SSO configuration and Edit SSO configuration.

   

3. In Edit SSO configuration, click Add Resource for Logout, enter the following information and click Add resource.

   • Resource name: Enter logout.
   • Resource URL: Enter resource URL in the format of your application URL.
   • URL query string: Enter cmd=logout.
   • Select Use regex expressions.

   

4. Similarly create one more Logout Resource for PSC Logout URL.

   

5. Now, click Add resource for Expire, enter the following information and click Add resource.

   • Resource name: Enter PSP Expire.
   • Resource URL: Enter the resource URL as in the format of your application URL.
   • URL query string: Enter cmd=expire.
   • Select Use regex expressions.

   

6. Similarly create one more Expire Resource for PSC Expire.

   

7. Now, add Authentication Policy for the created resource, select the logout resource under Resources and Form + Logout under Authentication Method. In URL after sign-out, add PeopleSoft landing page URL.

   

   Note: Follow Step 7 for the following resources as well.

   • PeopleSoft Component (PSC) Logout Resource
   • PeopleSoft Portal (PSP) Expire Resource
   • PSC Expire Resource

8. Move all these created resources to higher priority on the Authentication Policy list. The order should be Logout and Expire then psc and Default resources at the last.

   

9. Click Stop and Start PeopleSoft server to restart the PeopleSoft server.

10. Restart the App Gateway and test the logout flow.

Task 2: Configure OCI IAM Session Settings for Logout

This setting functions independently of the previously mentioned configurations and specifically manages the sign out experience within OCI IAM. It is recommended to enable this option only when your use case involves a single enterprise application or when you want all users, upon signing out, to be consistently redirected to a unified company landing page — ensuring a seamless and branded exit experience.

1. Go to the OCI Console, navigate to Identity and Security, Domains and select your domain. Select settings and click Session settings.

   

2. Update Sign-out URL to a landing page where you want all users redirected to after they have successfully signed out and click Save Changes.

   

Task 3: Handle User Onboarding with Custom Redirects

A common pattern we have observed across many organizations is the need to streamline the user onboarding experience particularly when new users reset or set up their passwords for the first time. By default, when users complete these actions in the same browser tab, OCI IAM presents a Continue Sign In option, redirecting them to the /myconsole landing page.

However, for many enterprise environments, exposing end users to the /myconsole interface is neither necessary nor ideal. Instead, these organizations often prefer users to begin in a clean session and be directed straight to a specific Enterprise Application landing page using a Service Provider (SP) initiated SSO flow.

To support this preference, OCI IAM now offers the ability to hide the Continue Sign In option. When this setting is enabled, users who are completing onboarding steps such as password setup or reset will no longer see the Continue Sign In option. This ensures that after completing these steps, users are not redirected to /myconsole, but can instead initiate a new session aligned with your organization’s SSO entry point.

This configuration improves the onboarding experience and ensures users are directed to the intended applications and environments without unnecessary redirects.

Follow the steps to disable the Continue Sign In option in OCI IAM:

1. Go to the OCI Console, navigate to Identity and Security, Domains, select your domain and click Branding.

   

2. Select Custom Branding, Hide Continue Sign In Button, you can update the other settings and customize the look and feel on your OCI IAM landing page and then click Save Changes.

   

Related Links

• How App Gateway Logout Works?

• Configure seamless authentication for PeopleSoft applications using OCI IAM Identity Domains.

• JD Edwards EnterpriseOne Single Sign-On Using Identity and Access Management with Microsoft Entra ID

Acknowledgments

• Author - Chetan Soni (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Update the Logout Flow of the Enterprise Application using App Gateway

G36497-01

Copyright ©2025, Oracle and/or its affiliates.