Problem Description: The architecture has OAS 10.1.4.3, OAM 10.1.4.3, OID version is 10.1.4.3 and portal11g installed in production server node. The OAM is integrated with portal 11g. I have faced some issues while implementing global logout in our project. Problem is same userid replicating after performing logout and login again in same session except portal application.OAM10g and portal11g application is sitting in different machine. We have 10 different application and all application is integrated with OAM and including portal. User can able to access the application through portal.Logout link visible only in portal not in other applications.
Case 1: if I logged into portal with user “A” and then access the SOA worklist it will opened in a new window. In SOA worklist showing user “A” as logged . After I closed the SOA worklist window and after click logout link in portal application.
Again I logged into portal with different user called “B” in a same session. Again I clicked SOA application and it will opened in a different window. This time I have seen user “A” instead of “B”.
Problem: Cookies had some values of previous authentication details. Normally when we tried to access the application link under portal, webgate will intercept the request and it will check whether cookie having values or not, if their is no values residing inside cookie once again new authentication will happen otherwise it will take a previous authentication values, in this case cookie having values because cookie not get deleted so authentication will not take part and taken a previous values.
So I thought of new plan like
1. Tried to delete all cookies in portal domain.
Result: Due to security reason we were not able to delete the other domain cookies.
2. Call multiple logout page from portal domain using logout url option in webgate profile.
Result: Oracle Access Manager will not support this.
3. Tried to call the logout page of each application one by one.
Result: After a lot of R&D this plan has been implemented and mentioned problem has been resolved.
For example user clicked logout from portal , it will trigger the logout page of portal, here I’m cleared all cookies under portal domain except obssocookie because if I cleared this cookie, I can’t able to call the other logout page url without authentication if this page is protected. For this purpose iam not clearing this cookie and then I triggered the logout page of EBao, here I’m cleared the cookies under this domain and again triggered the another application logout page url and so. Its chain base call and end of the call iam cleared obssocookie and display information to the user.
I believe this post will help you to get out of this issue. Thanks.
An Oracle Identity and Access Management professional, having working on Oracle Access Manager Single Sign-On implementations, Installation/Configuration of Identity Server, Web Pass, Web Gate, Access Gate, Policy Manager, Access Server, Policy Domains, Authentication /Authorization schemes, Single Sign-On (single and multi-domain), OIM, OVD, OID, OAAM, OIF, High Availability/Failover/ SSL deployment.