ApEx SSO logout

Similar Messages

• SSO logout not working properly (cookie remains set)

  Hi, I've just implemented single sign-on authentication for my APEX 2.2 applications with help of these two howtos:
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html#INSTALL
  http://becomeappsdba.blogspot.com/2007/01/apex-apps-configure-sso-ii.html
  It quite works smoothly, e.g. for pages that require authentication the user is redirected
  ("Redirecting to the Login Server for authentication...") to the SSO server (another machine, a part of Oracle Collaboration Suite infrastructure). There on the login screen, the user enters the credentials and after submit (if the credentials are OK) is redirected back to the APEX application as an authenticated user.
  When the user clicks "Logout", the application redirects him (her) to the page specified in the "Logout URL" attribute of the SSO authentication scheme and the displayed username changes to "nobody". So far so good.
  However, the problem is that the user is in fact not logged out. On a subsequent attempt to get to an authenticated page within the same browser window the application displays for a short while "Redirecting to the Login Server for authentication..." but it doesn't really get the user to the SSO logon screen to enter username and password and instead it redirects him (her) directly to the required page as the previously authenticated user (the user who clicked the "Logout" sign). The only workaround is to close the browser window and start over again as the other user, which is not very convenient nor secure. It seems that despite the seeming logout the cookie remains set and I don't how to force the application to get rid of the cookie upon logout.
  Has anybody faced this behaviour and has some assistance for me?
  Thanks in advance.
  Zdenek

  Scott,
  thank you very much for your prompt explanation and pointing to the right thread. There, I was able to quickly find what I was looking for - the logout URL:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGE
  Having that, it took me just 5 minutes to adopt it to my conditions (change machine names & page number), paste it to the SSO authentication scheme's logout URL field and sucessfully test it.
  To summarize for others in need, these are relevant links to this topic:
  Re: Partner Application in SSO logout does'nt synchronize
  SSO authentication
  Logout URL for 9iAS SSO Partner App
  Thanks again & appologies for asking this question without preceding proper searching for answer in this excelent & useful forum.
  Zdenek

• SSO Logout Status

  I am currently using SSO for authentication and it is functioning properly except the checkmark image does not show on the logout page for the partner application name that was created for APEX. If i am logged into other AS instances running SSO (portal), the checkmark does show for them. Not sure if it is the SSO partner app config or sso logout url. Thank you for any information.
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  Robert

  Robert,
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  That's the link that appears on the Single Signout page? It should be a fully qualified URL, at least. And it cannot have substitution item syntax like &APP_ID.. But if all you want to happen when the Single Signout page is shown is for a nice checkmark image to appear then just get the login server admin to change your application's partner application registration to use the logout URL of one of the other partner applications for which a checkmark does appear. Either that or create a checkmark image in your images directory and put a link to that in the registration form.
  If you want that logout link to actually do something (unset cookies, etc.), you'll have to do more work, but I don't see any extra benefit of doing that -- once the Single Signout Page is done your users will have to re-authenticate to use your application.
  Scott

• Why the sign-off page Not Displayed when I do SSO Logout ?

  Hi All,
  I am using Oracle SSO 10.1.4.1 and OID 10.1.4.1 and registering our ADF application to participate in the SSO.
  When I call SSO Logout from the web application with this URL :
  http://myserver:port/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://myserver:port/portal/page/portal/myPORTAL
  It just do the Logout "Silently" and then redirect to http://myserver:port/portal/page/portal/myPORTAL.
  Doesn't it should firstly display a page that shows the list of all application that will be logged-Off ?
  Why that sign-off page does not get displayed ?
  Thank you for your help,
  xtanto

  Looking at the product version you mentioned, I assume you are referring to Oracle Access Manager. When you configure a Logout URL, it will just end the session by killing ObSSOCookie and take you to the Logout URL as specified by the Administrator. OOTB, it wont be able to display the list of the applications you will be logged off from. This needs custom development to achieve what you are expecting. First you need to find out what all applications the user is logged in or to what all applications the ObSSOCookie session is passed and then display them on the Logout URL.

• OAM 11g Webgate 10g customized SSO logout page

  As stated in the title, I am using OAM 11g and Webgate 10g. I am trying to create a customized SSO logout page but am confused on a few parts. First off, in http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/logout.htm#CHDHFGJC , it states the following step for their logout.html:
  Logic in logout.html redirect to the OAM Server. For example:
  http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
  welcome.htmlMy question is if this is truely required? Or is there a way to have OAM invalidate the session and do its internal part of the logout procedures without needing to force the user to redirect to the OAM server's logout URL (eg: it automatically recognizes that the Webgate URL is "...../logout.html" and handles it properly). From talking to colleagues it sounds like this should be possible, and I see some mentions of it in the above documentation, but this appears to be 11g OAM and 11g Webgate behavior. At the same time though, the line "Logout is initiated when an application causes the invocation of the logout.html file configured for any registered OAM 10g Webgate." Leads me to believe that it can work with 10g webgate as well.
  Or, is there a way to have multiple valid logout pages on the OAM server? (There is currently a customized logout page that we cannot modify, and does not meet all the requirements we have for look/feel)
  Thank you
  Edited by: mBaldwin on Apr 12, 2013 10:30 AM

  Bump Any ideas?

• SSO logout issue with APEX

  I am trying to resolve the logout URL issue with our APEX application configured as a partner application with SSO. The partner application name is SSO_APEX and the logout URL is defined in partner application as
  http://OID_Server:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout where OID_Server is our OID server name.
  In the APEX application page, I tried to open the application that was imported from another apex server.
  Home>Application Builder>Application 107>Shared Components>Authentication Schemes
  SSO_Auth - current is
  &INFRA_NAME./pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=&SERVER_NAME./pls/htmldb/f?p=&APP_ID.
  The logout link is http://INFRA_NAME:7777/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http://SERVER_NAME/pls/cms/f?p=107 , The application is retrieving the INFRA_NAME and SERVER_NAME values from a database table and they correspond to the OID and 10g application servers respectively.
  The logout link should take it to the login page where the user will be prompted to enter login credentials again however it is currently taking to the above logout link page from APEX. It is not changing even though I specified a different logout link in partner application page. Moreover the check box beside SSO_APEX in the logout page is unchecked.
  The authentication scheme of application is overriding the partner application configuration. How can I make sure the logout is actually happening? Thanks in advance for any suggestions.
  Pavan.

  Scott,
  I am having the same issue, and have posted on another thread about this same thing. I know that's inappropriate to post the same thing in multiple threads, but I was searching the forum again today, and Pavan described exactly what I'm experiencing.
  We have been using SSO for about 4 years or so now, and haven't had logout issues. Our DBA at the time had written his own logout function for SSO where he invalidated the cookie with owa_cookie calls. It's worked until now. We have upgraded our database servers and all URLs referencing those servers are now in a different domain than our OAS server. Now the logic in the logout function is no longer invalidating the cookie for SSO (because it's in a different domain). SSO login and authentication still work, it's just the logout that does not.
  I'd like to just alter the logout URL to redirect to the OAS server for logout as you described. But here's what's happening. I press logout link, and it takes me to the OAS Single Sign-Off page where it shows the services it's logging you out of, but it doesn't automatically redirect (just sits there until I press the Return button).
  Is that expected (no automatic redirect)?
  And as Pavan mentioned, the Partner application name (APEX_SERVERNAME_SSO) doesn't show a checkmark next to it. If I go back to my application, I get right back in without being prompted for SSO (ie, not logging out successfully then).
  I know there are a lot of question marks here, but I'm not sure if there's something obvious I am missing or if there's something else I need to fix that I don't know about.
  Can you offer any guidance?
  Thank you for your time,
  Chris

• Partner Application in SSO logout does'nt synchronize

  Hi All,
  I've setup two separate application on different workspace and different server as partner Application. I've follow the instruction from http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  . And everything working fine, but the "logout" seen doesn't work correctly.
  Example: I'm login to Application "A" from single sign on homepage, after enter username and password, it direct me to Application "A". After that, i've click on Application "B" which also located on single sign on homepage and direct me to application "B" (that's correct). When I clicked on the "logout" link in Application "A" it work fine, but the other Application (B) doesn't log me out. I can do the normal work on Application "B" even the Application "A" already logout.

  Hi Scott,
  Thank you for your reply. I've read the two link above and I don't figure out how to resolve my problem yet. From the link: Logout URL for 9iAS SSO Partner App
  you said:
  Steve - Here's a logout URL that unsets the app's session cookie first, then goes to Single Sign-off, then back to a public page in the app:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGECan set the authentication schema logout URL of application "A" something like: unsets app's session cookies first, then goes to Single Sing-off, then goes to Application "B" sign-off, and then back to a public page in the app. That way will be logout the Application "A", logout the Single Sign-On, and logout the Application "B" when i click on the "logout" link from Application "A". Am I correct?
  The other question is how can i get the SSO cookie. I've used the owa_cookie.get('cookie_name') function, but it doesn't work for SSO.
  Thanks,
  Kevin

• BOBJ XI 3.1 SP7 SSO logout and login again not working

  Hello,
  The customer have a deployment of five BOBJ XI 3.1 SP7 with Tomcat 7 servers and AD integration with SSO.
  The case is that:
  The SSO login works fine on all servers, but when click logout and then go to the address bar and hit enter on the first four servers SSO reacts again, but on the 5th does not. The only way to login again is to close the browser and open it again.
  The configuration and the versions of Tomcats is exactly the same. The only difference is in the version of Windows the first four servers are on Windows 2003R2, but the 5th(the last) is on Windows Server 2008R2. I think the problem is somewhere in the application server(the Tomcat), but the server.xml and the web.xml of the InfoViewApp are the same.
  The SPNs are:
  BOBJCentralMS/hostname serviceaccount
  HTTP/hostame serviceaccount
  HTTP/FQDN serviceaccount
  I'm out of ideas so if somebody can help I'll be happy.
  Thank you in advance!
  Dilyan

  Hi Manna Das,
  I'll check the log, when i go to the customer(have no remote connection).
  Hi Sebastian Wiefett,
  Where in the BOBJ documents is described that the all nodes in the cluster must be on the same OS? I think it does not matters. Only the version of SP and FP must be the same.
  Different browsers are not allowed in the customer's newtwork. Only Internet Explorer.
  I'll try Kerberos debugger. I forgot about it.
  Hi raunak kumar,
  The case is not the same. First the resolution described in SAP Note 1835729 is included in SP7, second here the problem is not on the refresh page(F5), but on click in the address bar and hit "enter". There is difference between the two methods.
  Thank you for the suggestions!

• JSESSIONID not deleted during SSO logout

  We have a ADF/Struts webapp on OracleAS 10.1.2.0.2 protected by SSO (mod_osso). When a user logs off from SSO, all a success mark is shown from each partner app where the user was logged in (including our application), but the remains logged in to the webapp nevertheless.
  I have tracked the problem down to the JSESSIONID cookie, which causes the user to be logged in the application as long as the cookie is present. All the strictly SSO-related cookies are deleted during the logout except the JSESSIONID for the SSO partner webapp. The user is always correctly logged out from e.g. OIDDAS after logout.
  After logout, if I go and destroy the cookie either by manually deleting it from my browser or by closing the web browser, mod_osso shows immediately the SSO login page. i hav also verified by tracing the HTTP traffic that it is the JSESSIONID cookie that causes this behaviour.
  In Metalink article Note:258200.1, it is said that JSESSIONID cookie is not directly related to SSO so why is it a key factor when deciding whether a user actually is logged off from the application? Furthermore, the metalink article clearly states that the JSESSIONID cookie is deleted during logout (which is not the case).
  As far as I remember, we have never been able to see it working in our setup.
  Can mod_osso/SSO/whatever be configured do delete the JSESSIONID during the SSO log off or what would be the correct way to get the logoff working? Furthermore, shouldn't mod_osso actually ignore the JSESSIONID cookie and only care about the SSO-related cookies when deciding whether to allow the user in?
  TIA,
  Markus

  We solved the problem by implementing a Servlet filter that takes care of invalidating the user session if the user has logged out (either explicitly or through Global User Inactivity Timeout).
  The solution follows the guidelines described in
  Oracle Identity Management Application Developer's Guide section "9.4.1 Single Sign-Off and Application Logout" (http://download-uk.oracle.com/docs/cd/B14099_19/idmanage.1012/b14087/mod_osso.htm#BJFGAGIA)
  IMHO, the solution is a bit overkill, but it solved the problem. We haven't yet tried the solutions proposed by Rodrigo.

• SSO Logout Doesn't Work

  [9iAS Release 2 with OID, 9iDB 9.2.0]
  i have a Java partner application registered with the Login Server, and authentication is functioning properly. my application delegates to the LS for user authentication if no session is present, and reads the username correctly once the session has been set. the only problem is... i can't log the user out. i've used the example Oracle code (papplogout.jsp); i've written my own manual cookie-trashing methods in SSOEnablerBean.java; i've copied the redirect code from OIDDAS which auto-posts a form so the ssosignoff package. nothing works. once the redirect returns to ssoHome.jsp (my analog of papp.jsp) after logout the SSO bean recognizes who i am (or, who i was) and happily forwards me back into the application, session and SSO username intact.
  has anyone else experienced this? how can i kill my SSO cookie when a user wishes to logout, without closing the browser?
  thanks
  .rich

  Hi,
  I am looking for solution of the exact problem.
  Have you solved it?
  thanks,
  Branislav

• SSO logout question

  Good day gentlemen,
  I'm having a little problem with SSO built-in authentication scheme. I've created a simple application to test it, and enabled the built-in authentication scheme, Oracle Application Server Single Sign-On (Application Express as Partner Application).
  - Everything runs fine, when i access the app, the login page configured in SSO shows... but when i logout from the created application it doesn't work correctly, i just enter the app url again and gain normal access to it.
  My question is: do i have to create a Logout function to invalidate the session?

  Edson,
  There's some discussion here and some good tips from Anton: SSO authentication and another post here, which stresses the importance of first identifying your objectives, as a logout URL in an SSO setup must be constructed so that it does what you want it to do: Logout URL for 9iAS SSO Partner App .
  Scott

• Broken Image on SSo Logout Page

  Hi, I'd implemented SSO as Partner Application on an HTML DB application. Everything works great, except for the Status Image on the Logout Page, that is not been showned correctly.
  How can I fix this problem. Is this a setting on the SSO Server, or is it an HTML DB issue?
  Regards.

  Ah, ok. That will be a great solution in case I want to customize the images on that page.
  But I just want to use the standard solution with the standard icons. I'd looked at other Oracle applications and I believe that icon is called "osso_logout_success". Do I have to set sth. on the SSO Server in order to view it correctly?
  Regards

• APEX SSO - execution of regapp.sql failing

  Hi All,
  I have Database 11.1.0.6.0. APEX version is 3.0.1
  I am trying to Configure SSO(single sign-on) with Apex.
  I am logged in as FLOWS_030100 into the database
  I am facing following issues when trying to execute the regapp.sql, which is extracted from ssosdk902.zip. I got this zip from 10.1.2.0.1 Oracle App Server and trying to use it for configuration for version 10.1.3.1
  1. It fails with following error.
  Partner Application Configuration
  ERROR: Error in registration. Please try again
  ORA-06502: PL/SQL: numeric or value error: character string buffer too small
  PL/SQL procedure successfully completed.
  Commit complete.
  I figured out it was complaining for the l_ip_check varchar2(1); size, I increased that but then I got the following message:
  Partner Application Configuration
  ERROR: Error in registration. Please try again
  User-Defined Exception
  PL/SQL procedure successfully completed.
  Commit complete.
  No errors.
  I am wondering why is it not prompting for the values. Is there some change I should be doing to the regapp.sql to get it working for 11g DataBase.
  Please reply.
  Thanks
  Pooja
  Edited by: user539270 on Mar 19, 2009 11:57 PM

  Hi Scott
  Thanks for the reply!
  I got the script working without any change when executed from SQL Developer.
  How ever I am facing issue after getting the APEX configured with Oracle SSO. I have opened another thread with the details.
  (Facing Issues: APEX Configuration with SSO
  Please have a look.
  Regards
  Pooja

• APEX SSO and Load balancing: Could not determine workspace for application

  We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
  Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
  Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
  Error ERR-7620 Could not determine workspace for application ().
  Using HTTP Watch I find that the application is not even trying to redirect to the login page.
  What is wrong here?

  APEX has been registered as a partner application as described in
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
  As for metalink document 368746.1 naming the causes of this error:
  - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
  -LISTENER_TOKEN clearly works for requests coming from the first web server
  -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
  Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
  anyone?

• Problem with apex sso

  Hi all,
  I installed Oracle 11g, apex is 2.0
  then i updraded to apex 3.1.
       I want to enable sso for apex applications,
  for that i followed the below steps:
  step 1) Created authentication scheme for the application
  step 2) in flows_030100 schema i ran loadsdk.sql script.
  After that i ran regapp.sql script, but it is giving error : "numeric or value error; character buffer too small"
  can you pls tell me how to fix this problem.regards
  K M
  Edited by: [email protected] on Apr 17, 2009 10:53 PM

  Hi,
  See also at metalink note
  Note 562807.1
  Configuring an APEX Application to Use SSO With SDK in
  Kind regards,
  Iloon