SSO Logout Doesn't Work

Similar Messages

• SSO logout not working properly (cookie remains set)

  Hi, I've just implemented single sign-on authentication for my APEX 2.2 applications with help of these two howtos:
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html#INSTALL
  http://becomeappsdba.blogspot.com/2007/01/apex-apps-configure-sso-ii.html
  It quite works smoothly, e.g. for pages that require authentication the user is redirected
  ("Redirecting to the Login Server for authentication...") to the SSO server (another machine, a part of Oracle Collaboration Suite infrastructure). There on the login screen, the user enters the credentials and after submit (if the credentials are OK) is redirected back to the APEX application as an authenticated user.
  When the user clicks "Logout", the application redirects him (her) to the page specified in the "Logout URL" attribute of the SSO authentication scheme and the displayed username changes to "nobody". So far so good.
  However, the problem is that the user is in fact not logged out. On a subsequent attempt to get to an authenticated page within the same browser window the application displays for a short while "Redirecting to the Login Server for authentication..." but it doesn't really get the user to the SSO logon screen to enter username and password and instead it redirects him (her) directly to the required page as the previously authenticated user (the user who clicked the "Logout" sign). The only workaround is to close the browser window and start over again as the other user, which is not very convenient nor secure. It seems that despite the seeming logout the cookie remains set and I don't how to force the application to get rid of the cookie upon logout.
  Has anybody faced this behaviour and has some assistance for me?
  Thanks in advance.
  Zdenek

  Scott,
  thank you very much for your prompt explanation and pointing to the right thread. There, I was able to quickly find what I was looking for - the logout URL:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGE
  Having that, it took me just 5 minutes to adopt it to my conditions (change machine names & page number), paste it to the SSO authentication scheme's logout URL field and sucessfully test it.
  To summarize for others in need, these are relevant links to this topic:
  Re: Partner Application in SSO logout does'nt synchronize
  SSO authentication
  Logout URL for 9iAS SSO Partner App
  Thanks again & appologies for asking this question without preceding proper searching for answer in this excelent & useful forum.
  Zdenek

• Logout does not work in OIM after enabling OAM SSO

  We have installed a webgate to protect xlWebApp in OIM. Once the SSO is enabled, the logout does not work in the OIM user interface. How to solve this issue?
  Metalink has a solution where we need to add document.location="http://host:port/access/oblix/lang/en-us/logout.html"; in xlWebApp\tiles\tjspLogoffTiles.jsp. This is the logout URL of OAM. Is there any other way so we can have a logout page in the OIM application/server itself?
  Thanks.

  Kevin,
  I did what you suggested and initially it looked like it is working but there is slight issue. When I click Logout, it redirects to the logout screen. After logging out when I try to access xlWebApp it prompts for the login (i am using basic authentication). If I cancel it and again try to access xlWebApp, it lets me in without any prompt. This issue is in IE only but not in Firefox. Not sure what's the issue.
  Btw, to make the logout screen work, I had to unprotect the following with None Authentication:
  - /xlWebApp/pages/logout.html      (logout page)
  - /xlWebApp/images
  - /xlWebApp/css/Xellerate.css
  - /xlWebApp/css/style.css
  Thanks.
  Edited by: user504421 on Mar 16, 2009 9:52 AM
  Edited by: user504421 on Mar 16, 2009 10:00 AM
  Edited by: user504421 on Mar 16, 2009 10:01 AM

• RD Web access SSO - remote desktop doesn't work

  Hi,
  This is my first post in here, and I hope you gays can help me out.
  I am currently experiencing some issues with RD Web SSO not working as I would like it to work.  I have found countless articles and guides describing how to get it to work, but no guide have yet helped me.
  The problem is that when I log in on the web access and open a published application everything works fine I wait 5 sec and the application pups up, but when I try to open "Remote Desktop" then I get a new log in box where I must enter my log in credentials
  again (after entering my credentials everything work great.)
  The problems I am currently facing is produced in a demo environment configured as follows:
  1x DC server (DC01) also the lic server
  2x RDS server (RDS01/02)
  1x RDS Connection broker (RDCM01)   I have created a farm named "farm01.mydomain.com"
  1x RDS Web access server (RDWA01)
  1x RDS Gateway (RDSGW01)
  (All the Servers are installed with Windows server 2008 (R2) SP1, and have the latest update.)
  I am publishing my demo environment on the internet, i have created a domain name for my gateway and my web access and they are both accessible from the web (rdwa.mydomain.com and rdsgw.mydomaim,com). I also have secured everything with an SSL wildcard certificate
  ( my external and intern domain names are the same so I am using one SSl certificate) that is trusted on the web.
  when I  log in on the web access server trough (IE9 or IE8 ) from another network(wan) and I open a published application (calculator), it pop ups in just a few seconds. But when I try to open my Remote desktop I get a login box where I must enter my
  username and password one more time.. after that remote desktop opens and everything works great.
  My laptop is a Windows 7 professional with RDP 7 and IE 9, and is not member of a domain (just a workstation), I have tested it from multiple workstations and networks(Also win 7 and RDP7) but even there I have the same problem.
  Thinks that I have tried tell now:
  I have created a kerberos account as mentioned on
  MSDN
  I have checked my group permissions as mentioned
  here
  And many more blogs and forums
  I have tried multiple settings on RDCM, RDWA, RDSGW and RDS server
  Right now I am out of ideas, and I hope you gays can help me out..
  thanks in advance,
  Pouyan

  Thnx for you advise,
  Did you go into your RemoteApp Deployment settings and change the server name to the farm name "farm01.mydomain.com?"
  Yes
  Also in the Session Broker's RemoteApp and Desktop Connection Properties window change the Connection ID to the farm name as well.
  actually I couldn't find out what to put on the connection ID so I had left it just default, but after changing it to the farm name it still doesn't work
  Did you sign you apps with the cert used on your RDS servers?
  yes, I am using a wildcard ssl certificate to sign all the servers/apps with.
  there is
  something that
  strikes me, when I log on the web access and click on a published application (that is hosted from the same RDS servers) then I get a information box. when I click on the "details" button I see on the bottom "use the following credentials to connect" and my
  domain and username are published there. But when I click on the "Remote desktop" icon and do the same I can't see this information!!
  Also I don't think that its an SSL problem, because after log in again it works perfect without any warning.

• SSO EP/Lotus doesn't work

  Hello,
  we are using an EP v7 SP12 and Lotus Domino v6.5.4.
  We had a fine SSO configuration between our portal ("portal.saras.it") and our Lotus system ("mail.saras.it").
  But when we changed the portal domain in "portal.sarasgroup.dom" the SSO with Lotus didn't work fine.
  We thought that the problem could be the different domain suffix, so we tried to do an SSO configuration with another server Lotus (a test server) "mailTest.cagliari.saras.sarasgroup.dom" (the "names.nsf" database is linked from domain "saras.it").
  - We extracted and imported the dll (ds_ticket.dll, sapsecu.dll, wpsso_v3.dll) and the "verify.pse" file.
  - we configured "DSAPI Filter" adding the path of "ds_ticket.dll"
  - We added the value "MySapPsePath = F:\Domino\SAP\verify.pse" in the "notes.ini" file
  - Writing in the server domino console "show configuration MySapPsePath" the path is verifyed succesfully.
  - The portal Test User (T000001) is mapped as alias in a Lotus user profile
  - We set the Domino installation path as environment variable in Lotus Server OS (windows 2003)
  Trying to acces from the portal, the SSO doesn't work, a login page appears.
  And in the Lotus Server Console is showed the message:
  "Current AuthData: User =  ,InCache = 0, PreAuth = 0, Flags = 3F
  SSO Ticket found, 484 bytes
  Found sap_user = T000001
  sap_user: T000001 Ticket is invalid or expired
  SAP Ticketverifier Error: invalid ticket.
  SAP Ticketverifier Message: falling back to Lotus Domino Authentication"
  So the portal user ID is recognised by Lous System, but the ticket is invalid...
  Are we missing some configurations???
  Why the Lotus system recognises T000001 but doesn't accept the ticket?
  Please help us!!

  Thanks for your fast answers!!
  In answer to Harish:
  I replaced the portal certificate as described in the link you gave me but nothing is changed...
  Inanswer to Sandeep:
  I'm sorry but the SAP note mentionated refers to a problem different then mine.
  If you take a look it refers to an error message like "_More than one match for_
  <portal username>  in domino directory", instead my problem is "_invalid ticket_"
  Any other suggestions??
  Thanks

• Login/sso doesn't work suddenly

  Hello forum,
  we have a little problem with our productive PI 7.0. Out of a sudden the login on Repositoy and Directory doesn't work anymore. RWB, ABAP login and SLD work properly. Out admin is on holiday and hopefully hasn't changed anything to our user data... Is there a task or anything which could cause this?
  If yes, how to fix it?
  Regards
  Christian

  HI,
          You can do soft restart through tcode SMICM on Abap stack.
          Tab --> Administration --> ICM  --> J2EE Instance --> Send Soft Shutdown --> With Restart.
  It will restart only java stack.
  Regards,
  Anurag

• Partner Application in SSO logout does'nt synchronize

  Hi All,
  I've setup two separate application on different workspace and different server as partner Application. I've follow the instruction from http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  . And everything working fine, but the "logout" seen doesn't work correctly.
  Example: I'm login to Application "A" from single sign on homepage, after enter username and password, it direct me to Application "A". After that, i've click on Application "B" which also located on single sign on homepage and direct me to application "B" (that's correct). When I clicked on the "logout" link in Application "A" it work fine, but the other Application (B) doesn't log me out. I can do the normal work on Application "B" even the Application "A" already logout.

  Hi Scott,
  Thank you for your reply. I've read the two link above and I don't figure out how to resolve my problem yet. From the link: Logout URL for 9iAS SSO Partner App
  you said:
  Steve - Here's a logout URL that unsets the app's session cookie first, then goes to Single Sign-off, then back to a public page in the app:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGECan set the authentication schema logout URL of application "A" something like: unsets app's session cookies first, then goes to Single Sing-off, then goes to Application "B" sign-off, and then back to a public page in the app. That way will be logout the Application "A", logout the Single Sign-On, and logout the Application "B" when i click on the "logout" link from Application "A". Am I correct?
  The other question is how can i get the SSO cookie. I've used the owa_cookie.get('cookie_name') function, but it doesn't work for SSO.
  Thanks,
  Kevin

• SSO logout question

  Good day gentlemen,
  I'm having a little problem with SSO built-in authentication scheme. I've created a simple application to test it, and enabled the built-in authentication scheme, Oracle Application Server Single Sign-On (Application Express as Partner Application).
  - Everything runs fine, when i access the app, the login page configured in SSO shows... but when i logout from the created application it doesn't work correctly, i just enter the app url again and gain normal access to it.
  My question is: do i have to create a Logout function to invalidate the session?

  Edson,
  There's some discussion here and some good tips from Anton: SSO authentication and another post here, which stresses the importance of first identifying your objectives, as a logout URL in an SSO setup must be constructed so that it does what you want it to do: Logout URL for 9iAS SSO Partner App .
  Scott

• Why the sign-off page Not Displayed when I do SSO Logout ?

  Hi All,
  I am using Oracle SSO 10.1.4.1 and OID 10.1.4.1 and registering our ADF application to participate in the SSO.
  When I call SSO Logout from the web application with this URL :
  http://myserver:port/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://myserver:port/portal/page/portal/myPORTAL
  It just do the Logout "Silently" and then redirect to http://myserver:port/portal/page/portal/myPORTAL.
  Doesn't it should firstly display a page that shows the list of all application that will be logged-Off ?
  Why that sign-off page does not get displayed ?
  Thank you for your help,
  xtanto

  Looking at the product version you mentioned, I assume you are referring to Oracle Access Manager. When you configure a Logout URL, it will just end the session by killing ObSSOCookie and take you to the Logout URL as specified by the Administrator. OOTB, it wont be able to display the list of the applications you will be logged off from. This needs custom development to achieve what you are expecting. First you need to find out what all applications the user is logged in or to what all applications the ObSSOCookie session is passed and then display them on the Logout URL.

• OAM 11g Webgate 10g customized SSO logout page

  As stated in the title, I am using OAM 11g and Webgate 10g. I am trying to create a customized SSO logout page but am confused on a few parts. First off, in http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/logout.htm#CHDHFGJC , it states the following step for their logout.html:
  Logic in logout.html redirect to the OAM Server. For example:
  http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
  welcome.htmlMy question is if this is truely required? Or is there a way to have OAM invalidate the session and do its internal part of the logout procedures without needing to force the user to redirect to the OAM server's logout URL (eg: it automatically recognizes that the Webgate URL is "...../logout.html" and handles it properly). From talking to colleagues it sounds like this should be possible, and I see some mentions of it in the above documentation, but this appears to be 11g OAM and 11g Webgate behavior. At the same time though, the line "Logout is initiated when an application causes the invocation of the logout.html file configured for any registered OAM 10g Webgate." Leads me to believe that it can work with 10g webgate as well.
  Or, is there a way to have multiple valid logout pages on the OAM server? (There is currently a customized logout page that we cannot modify, and does not meet all the requirements we have for look/feel)
  Thank you
  Edited by: mBaldwin on Apr 12, 2013 10:30 AM

  Bump Any ideas?

• SSO Logout Status

  I am currently using SSO for authentication and it is functioning properly except the checkmark image does not show on the logout page for the partner application name that was created for APEX. If i am logged into other AS instances running SSO (portal), the checkmark does show for them. Not sure if it is the SSO partner app config or sso logout url. Thank you for any information.
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  Robert

  Robert,
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  That's the link that appears on the Single Signout page? It should be a fully qualified URL, at least. And it cannot have substitution item syntax like &APP_ID.. But if all you want to happen when the Single Signout page is shown is for a nice checkmark image to appear then just get the login server admin to change your application's partner application registration to use the logout URL of one of the other partner applications for which a checkmark does appear. Either that or create a checkmark image in your images directory and put a link to that in the registration form.
  If you want that logout link to actually do something (unset cookies, etc.), you'll have to do more work, but I don't see any extra benefit of doing that -- once the Single Signout Page is done your users will have to re-authenticate to use your application.
  Scott

• OBIEE 11.1.1.6.2 BP1 SSO with AD not working on MAC OS 10.6.8

  Hi Experts,
  We have setup SSO in our production with OBIEE 11.1.1.6.2 BP1 version and Active directory. All seems to work fine on all browsers. But on MAC OS 10.6.8 when we use Safari 5.1.7 it doesn't work. But when we use the application on MAC OS version 10.7.5 and safari version 6.0.1 and it is working fine. Can anyone please let me know if you have come across the scenario and the solution for this. In windows it works perfectly fine on all browsers. Only this version of MAC and Safari is giving us the trouble.
  Thanks in advance for any solution provided.
  Regards,
  Satyabrat

  JavaScript and Cookies are enabled.  my cookies list shows at least 3 associated with hulu.  Funny thing is, if I grab the up/down control bar on right side of screen with my mouse, then hulu plays in a somewhat chopped frame by frame. As soon as I let go, the frame freezes yet audio portion continues.
  I don't know what a munged Hulu cookie is, however.

• Can't log out of twitter on my iPad.  It doesn't work.  I am able to do it using the website.

  The twitter app for iPad doesn't work when I try to logout.  It's so frustrating that I deleted it and use twitter online.

  Try and force iPad into Recovery Mode
  1. Disconnect the USB cable from the device, but leave the other end of the cable connected to your computer's USB port.
  2. Turn off the device: Press and hold the Sleep/Wake button for a few seconds until the red slider appears, then slide the slider. Wait for the device to turn off.
  3.While pressing and holding the Home button, reconnect the USB cable to the device. The device should turn on.
  4. Continue holding the Home button until you see the "Connect to iTunes" screen. When this screen appears, release the Home button. iTunes should alert you that it has detected a device in recovery mode. Click OK, and then click Restore to restore the device.
  Note: Data will be lost. You may have to repeat the above many times.

• Javscript doesn't work on some websites with FireFox 8

  When I login to some site, like my online banking site (https://www.txn.banking.pcfinancial.ca), some JavaScript links do not work in FF8 (but they work in FF7 and IE7/8). Most annoyingly, the Logout link doesn't work, so I can't safely logout from my banking site. I contacted the bank, but they say that because it works in other browsers, it must be a problem with FF8, and I tend to agree.

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.com/kb/Safe+Mode
  *https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

• When forced quit doesn't work???

  What do I do when forced quit doesn't work?? This happens occasionally when something freezes, like Logic did today. I force quit, and wait... and wait... and nothing happens. I try and restart and it keeps coming up with the same window: Logout timed out, please force quit to continue or cancel.
  Anyways I hit force quit over and over and nothing happens. I resolve to holding the button and manually restarting the computer. How can I get this thing to force quit?!!
  - All updated
  - Repaired permissions
  - Repaired disk (nothing was wrong anyways)

  Funny you should ask as I had the EXACT same problem this afternoon.
  I had to do a hard restart.
  But, then I got the gray spinning startup.
  So, I had to restart from my backup drive (thank you SuperDuper!).
  Then, 5 minutes later my internal hard drive reappeared.
  Then, I restarted from my internal drive.
  I had this problem in April (I took notes) and Apple replaced my hard drive.
  Your mileage may vary.