If any of your protected resources have a logout page or button, you need to redirect the user’s logout request to the Access Gateway logout page. The Access Gateway can then clear the user’s session and log the user out of any other resources that have been enabled for single sign-on. If you do not redirect the user’s logout request, the user is logged out of one resource, but the user’s session remains active until inactivity closes the session. If the user accesses the resource again before the session is closed, single sign-on re-authenticates the user to the resource, and it appears that the logout did nothing.
In the Administration Console, click
> > > .In the
section, view the path to the AGLogout page in the option.The Logout URL displays the URL that you need to use for logging users out of protected resources. This option is not displayed until you have created at least one reverse proxy with a proxy service. If you create two or more reverse proxies, you can select which one is used for authentication, and the logout URL changes to match the assigned reverse proxy. For more information on changing the authentication proxy, see Section 6.3.2, Changing the Authentication Proxy Service.
Redirect application logout requests to the AGLogout page.
Click
.The Access Gateway does not support the following logout pages that were used in previous version of Access Manager and iChain:
/cmd/BM-Logout
/cmd/ICSLogout
You can create your own logout page and configure the Access Gateway to use it. To do this, you need to modify the logoutSuccess.jsp file on the Access Gateway. It is located in the following directory:
Linux: /opt/novell/nesp/lib/webapp/jsp
Window: \Program Files\Novell\Tomcat\webapp\nesp\jsp
You can modify the file to display what you want or you can modify it to redirect the user to your custom page. The following sections provide some tips for accomplishing this task:
The logoutSuccess.jsp file is called in a frame from the nidp.jsp file. The branding in the header of the logout page is controlled by the branding of the nidp.jsp file. For information on how to modify nidp.jsp for logos, titles, and colors, see Rebranding the Header
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
IMPORTANT:Save a copy of your modified nidp.jsp file. Every time you upgrade your Access Gateway, you need to restore this file.
One way to provide redirection is to replace the information in the <body> element of the logoutSuccess.jsp file with something similar to the following:
<body> <script language="JavaScript"> top.location.href='http://<hostname/path>'; </script> </body>
Replace the <hostname/path> string with the location of your customized logout page.
IMPORTANT:Save a copy of your modified logoutSuccess.jsp file. Every time you upgrade your Access Gateway, you need to restore this file.
If you need to use a different logout page for specific protected resources, you need to modify the logout button of the applications to use the plogout URL rather that the AGLogout URL (see Section 2.10.1, Customizing Applications to Use the Access Gateway Logout Page). The AGLogout page redirects to the plogout page, which calls the logoutSuccess.jsp. You cannot modify the AGLogout URL for parameters, because they are discarded. However, any parameter added to the plogout URL is saved and passed to the logoutSuccess.jsp file.
The parameter passed to the logoutSuccess.jsp file can be used with if/else logic in the body of the page to load different custom logout pages based on the parameter value.
To use the plogout URL, you need to modify the application’s logout button to call the following URL:
<ESP Domain>/nesp/app/plogout
Replace <ESP Domain> with the same value as the AGLogout value. For example, suppose your AGLogout value is the following:
https://jwilson1.provo.novell.com:443/AGLogout
You would replace it with the following value:
https://jwilson1.provo.novell.com:443/nesp/app/plogout
If you add a parameter to the URL, it would look similar to the following:
https://jwilson1.provo.novell.com:443/nesp/app/plogout?app=email
When a user clicks the logout button and the user is logging out of an Access Gateway that is a member of a cluster, the user is not immediately disconnected from the resource. The logout message must be sent to each member of the cluster. The default interval for checking the pending logout message queue is 30 seconds. If this interval is too long, you can configure a shorter interval in the web.xml file of the Embedded Service Provider. This must be set on each Access Gateway in the cluster.
Log in to the Access Gateway as the root or administrator user.
Open the web.xml.
Linux: /opt/novell/nesp/lib/webapps/WEB-INF/web.xml
Windows: /Program Files/Novell/nesp/lib/webapps/WEB-INF/web.xml
Find the <context-param> section in the file.
Add the following parameter to the <context-param> section.
<context-param> <param-name>logoutRetirementFrequency</param-name> <param-value>15000</param-value> </context-param>
Set the <param-value> element to a value between 5000 and 30000 milliseconds (5 seconds and 30 seconds).
Restart the Embedded Service Provider.
For instructions on how to restart the Embedded Service Provider from the Administration Console, see Section 2.3, Managing Access Gateways.