SSO logout question

Similar Messages

• OAM 11g Webgate 10g customized SSO logout page

  As stated in the title, I am using OAM 11g and Webgate 10g. I am trying to create a customized SSO logout page but am confused on a few parts. First off, in http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/logout.htm#CHDHFGJC , it states the following step for their logout.html:
  Logic in logout.html redirect to the OAM Server. For example:
  http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
  welcome.htmlMy question is if this is truely required? Or is there a way to have OAM invalidate the session and do its internal part of the logout procedures without needing to force the user to redirect to the OAM server's logout URL (eg: it automatically recognizes that the Webgate URL is "...../logout.html" and handles it properly). From talking to colleagues it sounds like this should be possible, and I see some mentions of it in the above documentation, but this appears to be 11g OAM and 11g Webgate behavior. At the same time though, the line "Logout is initiated when an application causes the invocation of the logout.html file configured for any registered OAM 10g Webgate." Leads me to believe that it can work with 10g webgate as well.
  Or, is there a way to have multiple valid logout pages on the OAM server? (There is currently a customized logout page that we cannot modify, and does not meet all the requirements we have for look/feel)
  Thank you
  Edited by: mBaldwin on Apr 12, 2013 10:30 AM

  Bump Any ideas?

• SSO logout not working properly (cookie remains set)

  Hi, I've just implemented single sign-on authentication for my APEX 2.2 applications with help of these two howtos:
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html#INSTALL
  http://becomeappsdba.blogspot.com/2007/01/apex-apps-configure-sso-ii.html
  It quite works smoothly, e.g. for pages that require authentication the user is redirected
  ("Redirecting to the Login Server for authentication...") to the SSO server (another machine, a part of Oracle Collaboration Suite infrastructure). There on the login screen, the user enters the credentials and after submit (if the credentials are OK) is redirected back to the APEX application as an authenticated user.
  When the user clicks "Logout", the application redirects him (her) to the page specified in the "Logout URL" attribute of the SSO authentication scheme and the displayed username changes to "nobody". So far so good.
  However, the problem is that the user is in fact not logged out. On a subsequent attempt to get to an authenticated page within the same browser window the application displays for a short while "Redirecting to the Login Server for authentication..." but it doesn't really get the user to the SSO logon screen to enter username and password and instead it redirects him (her) directly to the required page as the previously authenticated user (the user who clicked the "Logout" sign). The only workaround is to close the browser window and start over again as the other user, which is not very convenient nor secure. It seems that despite the seeming logout the cookie remains set and I don't how to force the application to get rid of the cookie upon logout.
  Has anybody faced this behaviour and has some assistance for me?
  Thanks in advance.
  Zdenek

  Scott,
  thank you very much for your prompt explanation and pointing to the right thread. There, I was able to quickly find what I was looking for - the logout URL:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGE
  Having that, it took me just 5 minutes to adopt it to my conditions (change machine names & page number), paste it to the SSO authentication scheme's logout URL field and sucessfully test it.
  To summarize for others in need, these are relevant links to this topic:
  Re: Partner Application in SSO logout does'nt synchronize
  SSO authentication
  Logout URL for 9iAS SSO Partner App
  Thanks again & appologies for asking this question without preceding proper searching for answer in this excelent & useful forum.
  Zdenek

• Why the sign-off page Not Displayed when I do SSO Logout ?

  Hi All,
  I am using Oracle SSO 10.1.4.1 and OID 10.1.4.1 and registering our ADF application to participate in the SSO.
  When I call SSO Logout from the web application with this URL :
  http://myserver:port/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://myserver:port/portal/page/portal/myPORTAL
  It just do the Logout "Silently" and then redirect to http://myserver:port/portal/page/portal/myPORTAL.
  Doesn't it should firstly display a page that shows the list of all application that will be logged-Off ?
  Why that sign-off page does not get displayed ?
  Thank you for your help,
  xtanto

  Looking at the product version you mentioned, I assume you are referring to Oracle Access Manager. When you configure a Logout URL, it will just end the session by killing ObSSOCookie and take you to the Logout URL as specified by the Administrator. OOTB, it wont be able to display the list of the applications you will be logged off from. This needs custom development to achieve what you are expecting. First you need to find out what all applications the user is logged in or to what all applications the ObSSOCookie session is passed and then display them on the Logout URL.

• SSO Logout Status

  I am currently using SSO for authentication and it is functioning properly except the checkmark image does not show on the logout page for the partner application name that was created for APEX. If i am logged into other AS instances running SSO (portal), the checkmark does show for them. Not sure if it is the SSO partner app config or sso logout url. Thank you for any information.
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  Robert

  Robert,
  Logout URL on SSO is : wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://server/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://server/pls/apex/f?p=app:page
  That's the link that appears on the Single Signout page? It should be a fully qualified URL, at least. And it cannot have substitution item syntax like &APP_ID.. But if all you want to happen when the Single Signout page is shown is for a nice checkmark image to appear then just get the login server admin to change your application's partner application registration to use the logout URL of one of the other partner applications for which a checkmark does appear. Either that or create a checkmark image in your images directory and put a link to that in the registration form.
  If you want that logout link to actually do something (unset cookies, etc.), you'll have to do more work, but I don't see any extra benefit of doing that -- once the Single Signout Page is done your users will have to re-authenticate to use your application.
  Scott

• Partner Application in SSO logout does'nt synchronize

  Hi All,
  I've setup two separate application on different workspace and different server as partner Application. I've follow the instruction from http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  . And everything working fine, but the "logout" seen doesn't work correctly.
  Example: I'm login to Application "A" from single sign on homepage, after enter username and password, it direct me to Application "A". After that, i've click on Application "B" which also located on single sign on homepage and direct me to application "B" (that's correct). When I clicked on the "logout" link in Application "A" it work fine, but the other Application (B) doesn't log me out. I can do the normal work on Application "B" even the Application "A" already logout.

  Hi Scott,
  Thank you for your reply. I've read the two link above and I don't figure out how to resolve my problem yet. From the link: Logout URL for 9iAS SSO Partner App
  you said:
  Steve - Here's a logout URL that unsets the app's session cookie first, then goes to Single Sign-off, then back to a public page in the app:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGECan set the authentication schema logout URL of application "A" something like: unsets app's session cookies first, then goes to Single Sing-off, then goes to Application "B" sign-off, and then back to a public page in the app. That way will be logout the Application "A", logout the Single Sign-On, and logout the Application "B" when i click on the "logout" link from Application "A". Am I correct?
  The other question is how can i get the SSO cookie. I've used the owa_cookie.get('cookie_name') function, but it doesn't work for SSO.
  Thanks,
  Kevin

• SSO logout issue with APEX

  I am trying to resolve the logout URL issue with our APEX application configured as a partner application with SSO. The partner application name is SSO_APEX and the logout URL is defined in partner application as
  http://OID_Server:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout where OID_Server is our OID server name.
  In the APEX application page, I tried to open the application that was imported from another apex server.
  Home>Application Builder>Application 107>Shared Components>Authentication Schemes
  SSO_Auth - current is
  &INFRA_NAME./pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=&SERVER_NAME./pls/htmldb/f?p=&APP_ID.
  The logout link is http://INFRA_NAME:7777/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http://SERVER_NAME/pls/cms/f?p=107 , The application is retrieving the INFRA_NAME and SERVER_NAME values from a database table and they correspond to the OID and 10g application servers respectively.
  The logout link should take it to the login page where the user will be prompted to enter login credentials again however it is currently taking to the above logout link page from APEX. It is not changing even though I specified a different logout link in partner application page. Moreover the check box beside SSO_APEX in the logout page is unchecked.
  The authentication scheme of application is overriding the partner application configuration. How can I make sure the logout is actually happening? Thanks in advance for any suggestions.
  Pavan.

  Scott,
  I am having the same issue, and have posted on another thread about this same thing. I know that's inappropriate to post the same thing in multiple threads, but I was searching the forum again today, and Pavan described exactly what I'm experiencing.
  We have been using SSO for about 4 years or so now, and haven't had logout issues. Our DBA at the time had written his own logout function for SSO where he invalidated the cookie with owa_cookie calls. It's worked until now. We have upgraded our database servers and all URLs referencing those servers are now in a different domain than our OAS server. Now the logic in the logout function is no longer invalidating the cookie for SSO (because it's in a different domain). SSO login and authentication still work, it's just the logout that does not.
  I'd like to just alter the logout URL to redirect to the OAS server for logout as you described. But here's what's happening. I press logout link, and it takes me to the OAS Single Sign-Off page where it shows the services it's logging you out of, but it doesn't automatically redirect (just sits there until I press the Return button).
  Is that expected (no automatic redirect)?
  And as Pavan mentioned, the Partner application name (APEX_SERVERNAME_SSO) doesn't show a checkmark next to it. If I go back to my application, I get right back in without being prompted for SSO (ie, not logging out successfully then).
  I know there are a lot of question marks here, but I'm not sure if there's something obvious I am missing or if there's something else I need to fix that I don't know about.
  Can you offer any guidance?
  Thank you for your time,
  Chris

• BOBJ XI 3.1 SP7 SSO logout and login again not working

  Hello,
  The customer have a deployment of five BOBJ XI 3.1 SP7 with Tomcat 7 servers and AD integration with SSO.
  The case is that:
  The SSO login works fine on all servers, but when click logout and then go to the address bar and hit enter on the first four servers SSO reacts again, but on the 5th does not. The only way to login again is to close the browser and open it again.
  The configuration and the versions of Tomcats is exactly the same. The only difference is in the version of Windows the first four servers are on Windows 2003R2, but the 5th(the last) is on Windows Server 2008R2. I think the problem is somewhere in the application server(the Tomcat), but the server.xml and the web.xml of the InfoViewApp are the same.
  The SPNs are:
  BOBJCentralMS/hostname serviceaccount
  HTTP/hostame serviceaccount
  HTTP/FQDN serviceaccount
  I'm out of ideas so if somebody can help I'll be happy.
  Thank you in advance!
  Dilyan

  Hi Manna Das,
  I'll check the log, when i go to the customer(have no remote connection).
  Hi Sebastian Wiefett,
  Where in the BOBJ documents is described that the all nodes in the cluster must be on the same OS? I think it does not matters. Only the version of SP and FP must be the same.
  Different browsers are not allowed in the customer's newtwork. Only Internet Explorer.
  I'll try Kerberos debugger. I forgot about it.
  Hi raunak kumar,
  The case is not the same. First the resolution described in SAP Note 1835729 is included in SP7, second here the problem is not on the refresh page(F5), but on click in the address bar and hit "enter". There is difference between the two methods.
  Thank you for the suggestions!

• JSESSIONID not deleted during SSO logout

  We have a ADF/Struts webapp on OracleAS 10.1.2.0.2 protected by SSO (mod_osso). When a user logs off from SSO, all a success mark is shown from each partner app where the user was logged in (including our application), but the remains logged in to the webapp nevertheless.
  I have tracked the problem down to the JSESSIONID cookie, which causes the user to be logged in the application as long as the cookie is present. All the strictly SSO-related cookies are deleted during the logout except the JSESSIONID for the SSO partner webapp. The user is always correctly logged out from e.g. OIDDAS after logout.
  After logout, if I go and destroy the cookie either by manually deleting it from my browser or by closing the web browser, mod_osso shows immediately the SSO login page. i hav also verified by tracing the HTTP traffic that it is the JSESSIONID cookie that causes this behaviour.
  In Metalink article Note:258200.1, it is said that JSESSIONID cookie is not directly related to SSO so why is it a key factor when deciding whether a user actually is logged off from the application? Furthermore, the metalink article clearly states that the JSESSIONID cookie is deleted during logout (which is not the case).
  As far as I remember, we have never been able to see it working in our setup.
  Can mod_osso/SSO/whatever be configured do delete the JSESSIONID during the SSO log off or what would be the correct way to get the logoff working? Furthermore, shouldn't mod_osso actually ignore the JSESSIONID cookie and only care about the SSO-related cookies when deciding whether to allow the user in?
  TIA,
  Markus

  We solved the problem by implementing a Servlet filter that takes care of invalidating the user session if the user has logged out (either explicitly or through Global User Inactivity Timeout).
  The solution follows the guidelines described in
  Oracle Identity Management Application Developer's Guide section "9.4.1 Single Sign-Off and Application Logout" (http://download-uk.oracle.com/docs/cd/B14099_19/idmanage.1012/b14087/mod_osso.htm#BJFGAGIA)
  IMHO, the solution is a bit overkill, but it solved the problem. We haven't yet tried the solutions proposed by Rodrigo.

• ApEx SSO logout

  Hello everyone,
  I need ApEx to authenticate via Single Sign On (SSO). I am able to login to ApEx via SSO but logging out fails. I am properly routed to my logout page but an actual logout does not happen.
  I followed instructions per Metalink Note 562807.1, "Configuring an APEX Application to Use SSO With SDK in Separate Schema". After searching the web, it appears that other people are having the same problem but I have not seen a posted solution.
  I am using ApEx version 4.0.2, and Oracle's Application Server version 10.1.2. ApEx is installed in an Oracle 11.2.0.1.
  Has anyone had this problem or does anyone have some information that may help guide me past this logout issue?
  Nate

  I have found that two procedures will log my application out of SSO (Single Sign On).
  1) wwv_flow_custom_auth_std.logout - This procedure does sucessfully log me out of SSO but it does not bring an application back to the SSO login page.
  2) wwv_flow_custom_auth_std.logout_then_go_to_url - This procedure seems to work better than the above procedure with SSO. This procedure logs an application out of SSO then redirects the application to a page of your choice, in my case, the SSO login page.
  Procedure wwv_flow_custom_auth_std.logout_then_go_to_url is used as follows:
  wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:http://<IDMANAGEMENT_SERVER>:<IDMANAGEMENT_SERVER_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://<APEX_MACHINE_NAME>/pls/apex/f?p=&APP_ID.Note:
  Your ApEx operation must to be registered with SSO

• SSO Logout Doesn't Work

  [9iAS Release 2 with OID, 9iDB 9.2.0]
  i have a Java partner application registered with the Login Server, and authentication is functioning properly. my application delegates to the LS for user authentication if no session is present, and reads the username correctly once the session has been set. the only problem is... i can't log the user out. i've used the example Oracle code (papplogout.jsp); i've written my own manual cookie-trashing methods in SSOEnablerBean.java; i've copied the redirect code from OIDDAS which auto-posts a form so the ssosignoff package. nothing works. once the redirect returns to ssoHome.jsp (my analog of papp.jsp) after logout the SSO bean recognizes who i am (or, who i was) and happily forwards me back into the application, session and SSO username intact.
  has anyone else experienced this? how can i kill my SSO cookie when a user wishes to logout, without closing the browser?
  thanks
  .rich

  Hi,
  I am looking for solution of the exact problem.
  Have you solved it?
  thanks,
  Branislav

• Broken Image on SSo Logout Page

  Hi, I'd implemented SSO as Partner Application on an HTML DB application. Everything works great, except for the Status Image on the Logout Page, that is not been showned correctly.
  How can I fix this problem. Is this a setting on the SSO Server, or is it an HTML DB issue?
  Regards.

  Ah, ok. That will be a great solution in case I want to customize the images on that page.
  But I just want to use the standard solution with the standard icons. I'd looked at other Oracle applications and I believe that icon is called "osso_logout_success". Do I have to set sth. on the SSO Server in order to view it correctly?
  Regards

• OAM SSO integration question:How can I get a user identity from ObSSOCookie

  We are building an OAM SSO solution. The App server is both on OAS and WLS. My question is that, after I get the ObSSOCookie from httprequest.
  I need to verify whether the ObSSOCookie is a valid one, and I also need to get user identity from the cookie and pass it to login module to populate user principal
  Of course, one way of doing that is to install access manager SDK and go from there. But we support multiple OS, it's a pain to add Access manager SDK to different installer for different OS.
  I am trying to use IdentityXML Functions which is a SOAP based webservice so that I don't need to worry about the OS platform. But I can't find a webService which returns user identity based on a valid ObSSOCookie. It seems that I can invoke webService with valide ObSSOCookie, but there is no way to get the user identity back. Am I missing something?
  Hope someone can help me out.
  Thanks.
  -Wei

  Ok. Sounds like you are a vendor trying to play well in an SSO environment.
  Here is what I tell OAM customers when they are evaluating software to see if it will cooperate with a system like OAM.
  Can the software's native authentication scheme be explicitly turned off (usually a configuration in a file)?
  Can the software be configured to accept a token of identity in the form of a Cookie or HeaderVar (also configurable in a file)?
  If the answer to both is yes, then the system is capable of 'third party trust' for authentication.
  From your perspective, your logic for login should be something like:
  Is my native authN turned off?
  If yes, can I find the cookie or header that I should be looking for?
  If yes, take the value and proceed to create user session for this identity per usual (except that you never evaluated the authN - you trust that it was done).
  If no, present the native AuthN scheme anyway.
  If you follow this pattern, you are in the good company of folks like PeopleSoft and Plumtree who had these types of integrations working long ago.
  Yes, there are other ways to do this but, in my humble opinion, this remains the most stable and effective pattern we see.
  What you ask for as the identity token value is up to you. It is often the login ID value that you would have used in your own authN procedure. There's nothing particularly sensitive about having a webgate set headers - they are only available to the server and not to the client. Cookie of course could be seen but can't be spoofed as the webgate has the final word on it's content.
  Mark

• OID SSO Logout issue from the partner application

  As per the below link I am trying the logout functionality from the partner application,
  http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/tpsso.htm#i1011555
  The article talks about a logout url pattern, I am trying to execute the below from the partner application.
  https://single_sign-on_host:single_sign-on_ssl_port/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=done_url
  The issue I got is OID server is not redirecting to the p_done_url, it just stays in the same OID logout page, Do I have to create any configuration entry to get the redirection working?
  Thanks

  Hi All,
  Providing more information,
  What I get is the OID logout screen with two return buttons on top and bottom of the page.
  If I found is when I click any of those it goes to the p_done_url but What I want is
  instead of stopping in the OID logout page, auto redirection to the p_done_url,
  Can this be done.
  Thanks

• Apex as Partner App using OID SSO

  Hi
  I have setup Apex as a partner App in OAS.
  Registered the partner application.
  Created a simple app that uses the builtin Apex auth as partner app using sso.
  I get the OAS login appearing as expected for authentication however apon entering credentials successfully
  The success url takes me to server:7777/sso/auth and displays page can not be found
  My OAS Partner App success url registered is server:7778/dad/apex/wwv_flow_custom_auth_sso.process_success
  app schema registered details
  My lsnr token is HTML_DB:server:7778
  other details cut and copied from OAS registration page.
  lsnr login url is the oas sso login url is this correct?
  Appears to work apart from the success url finding its way back to my app.
  TIA
  Richard.

  Hello all,
  I'm having somewhat of a similar issue, but I think our setup might be making it a bit more complex.
  First question, simple one:
  1.
  In my authentication method in my apex app, when I set my logout URL to http://{myhost}:{myport}/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://www.google.com
  It doesn't automatically redirect. I have to press the Return button on the OAS Single Sign-Off page to redirect to www.google.com
  Is the redirect not automatic? Is there a way to make it automatic?
  2.
  We have the issue where you login via SSO into an APEX application (APEX as a partner app). But the logout url does not truly log the user out. It redirects to our public page as we expect it to, but when they press the login button, it just goes straight back in (as if they were never logged out).
  Now I know this has to do with the cookie, but here's the tricky part.
  Our OAS server (that has Portal) is on a separate box. We've upgraded all our database servers, and they all have now a different domain than the OAS server. So now, OAS is in company1.com domain and our APEX apps are on company2.net domains.
  Our DBA had setup us his own flavor of SSO logout (public synonym for all apex workspaces to use). He has an actually database procedure that used the owa_cookie package to look for the cookie and invalidate it on logout. With the new domains, his logic no longer works, because I believe the cookie is still in company1.com domain and the logout proceduce is running from the company2.net domain and cannot find the cookie (since it's not in it's domain).
  After all that, I am thinking that since we can successfully login to SSO in company2.net domain via the OAS server, then we should also be able to logout of SSO successfully via the OAS server as well. Am I on the right track here? Is it possible with multiple domains?
  Thanks,
  Chris
  Edited by: CDub on Oct 19, 2009 1:55 PM