Topic
  • 6 replies
  • Latest Post - ‏2014-02-28T09:22:00Z by Giri_Daks
nitesh.agrawal
nitesh.agrawal
5 Posts

Pinned topic single logout from all virtual host junctions

‏2014-02-26T05:01:26Z |

Hi Everyone,

In our environment we have one single WebSEAL instance setup with two virtual host junctions, one for IBM portal server and another for IBM connections.

We have enabled single sign on mechanism by setting "shared-domain-cookie" as true and SSO is working as expected.

Now what we want to achieve is that when a user logout from either portal or connections, he/she should logout from all the junctions. Some of the forum suggested removing cookies when user logout from backend server using java script in "logout.html" page. I tried with that option and after debugging I can confirm the cookies are being removed however that option is not helping in our scenario.

WebSEAL does have a setting called "logout-remove-cookie" which is by default false, I changed the value for this setting to true but still it's not helping.

Does anybody have idea how to achieve that? Any help would be highly appreciated.

Thanks

Nitesh

  • syahrul.aiman
    syahrul.aiman
    17 Posts

    Single Sign-Off

    ‏2014-02-26T09:25:01Z  

    Hi Nitesh,

    I believe that you're referring to the Single Sign-off.

    Basically, WebSEAL will send HTTP requests to predefined applications, which are the Portal Server and the Connections when the session is terminated. Then these applications will then terminate the associated sessions that are located on junctioned backend servers.

    For more info, you may read the following:

    Overview of the single sign-off functionality:
    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_appl_guide/concept/con_single_signoff_overvw.html

    Configuring single signoff:
    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_appl_guide/task/tsk_conf_single_signoff.html

    Best regards,
    Aiman

    ____________________________________________
    *In case you are not getting your answer then I would recommend to open a PMR (if you or your company have the IBM Value Package) with IBM support.
    IBM Value Package: http://ibm.com/partnerworld/wps/servlet/ContentHandler/pw_com_vpo_value_package
    Submit your PMR here: http://ibm.com/isv/tech/remoteEmail/entryForm.jsp

  • nitesh.agrawal
    nitesh.agrawal
    5 Posts

    Re: Single Sign-Off

    ‏2014-02-27T00:13:43Z  

    Hi Nitesh,

    I believe that you're referring to the Single Sign-off.

    Basically, WebSEAL will send HTTP requests to predefined applications, which are the Portal Server and the Connections when the session is terminated. Then these applications will then terminate the associated sessions that are located on junctioned backend servers.

    For more info, you may read the following:

    Overview of the single sign-off functionality:
    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_appl_guide/concept/con_single_signoff_overvw.html

    Configuring single signoff:
    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_appl_guide/task/tsk_conf_single_signoff.html

    Best regards,
    Aiman

    ____________________________________________
    *In case you are not getting your answer then I would recommend to open a PMR (if you or your company have the IBM Value Package) with IBM support.
    IBM Value Package: http://ibm.com/partnerworld/wps/servlet/ContentHandler/pw_com_vpo_value_package
    Submit your PMR here: http://ibm.com/isv/tech/remoteEmail/entryForm.jsp

    Hi Aiman,

    Thanks for the reply.

    I have already gone through those link before, those settings are only applicable in case of standard junction but in our case we are using virtual host junctions. If I am trying to configured signoff URI, our WebSEAL instance is not starting. Below are the line from WebSEAL startup log -

    "webseald ERROR wcf Error config.cpp 5017 0x7f3d521df720 -- DPWCF0531E   The configured single sign-off resource is invalid. The resource must reside on a standard junction."

    Thanks

    Nitesh

  • Giri_Daks
    Giri_Daks
    101 Posts

    Re: Single Sign-Off

    ‏2014-02-27T09:35:00Z  

    Hi Aiman,

    Thanks for the reply.

    I have already gone through those link before, those settings are only applicable in case of standard junction but in our case we are using virtual host junctions. If I am trying to configured signoff URI, our WebSEAL instance is not starting. Below are the line from WebSEAL startup log -

    "webseald ERROR wcf Error config.cpp 5017 0x7f3d521df720 -- DPWCF0531E   The configured single sign-off resource is invalid. The resource must reside on a standard junction."

    Thanks

    Nitesh

    Did you try calling the pkmslogout.form from the portal link ?, that should remove the session information

  • goonitsupport
    goonitsupport
    119 Posts

    Re: Single Sign-Off

    ‏2014-02-27T13:42:18Z  

    Hi Aiman,

    Thanks for the reply.

    I have already gone through those link before, those settings are only applicable in case of standard junction but in our case we are using virtual host junctions. If I am trying to configured signoff URI, our WebSEAL instance is not starting. Below are the line from WebSEAL startup log -

    "webseald ERROR wcf Error config.cpp 5017 0x7f3d521df720 -- DPWCF0531E   The configured single sign-off resource is invalid. The resource must reside on a standard junction."

    Thanks

    Nitesh

    Thanks Nitesh. That is a cool feature I wasn't aware of.

     

    Previously I have coded my own logout.html to request these urls and destroy any cookies.

  • nitesh.agrawal
    nitesh.agrawal
    5 Posts

    Re: Single Sign-Off

    ‏2014-02-28T00:03:08Z  
    • Giri_Daks
    • ‏2014-02-27T09:35:00Z

    Did you try calling the pkmslogout.form from the portal link ?, that should remove the session information

    Hi Giri,

    Thanks for the reply...

    Yes I configured portal server as well for calling pkmslogout from portal as suggested in below forum -

    https://www.ibm.com/developerworks/community/blogs/PortalL2Thoughts/entry/understanding_how_to_redirect_users_on_logout_from_portal3?lang=en

    It does removing the session from webseal and when I am trying to access portal again it is prompting with login page however when I am accessing IBM connection it is not asking for any credentials and user logon was successful and when I navigate back to portal link I could see the session is being restored for portal as well. It happening vice versa as well.

    To me it seems like backend junction servers are keeping credential information somewhere (may be on browser or may be at there end I am not sure) and they are refreshing the cookie information whenever a request being made.. I am not sure may be its just a theory.

    Thanks

    Nitesh

    Updated on 2014-02-28T00:04:14Z at 2014-02-28T00:04:14Z by nitesh.agrawal
  • Giri_Daks
    Giri_Daks
    101 Posts

    Re: Single Sign-Off

    ‏2014-02-28T09:22:00Z  

    Hi Giri,

    Thanks for the reply...

    Yes I configured portal server as well for calling pkmslogout from portal as suggested in below forum -

    https://www.ibm.com/developerworks/community/blogs/PortalL2Thoughts/entry/understanding_how_to_redirect_users_on_logout_from_portal3?lang=en

    It does removing the session from webseal and when I am trying to access portal again it is prompting with login page however when I am accessing IBM connection it is not asking for any credentials and user logon was successful and when I navigate back to portal link I could see the session is being restored for portal as well. It happening vice versa as well.

    To me it seems like backend junction servers are keeping credential information somewhere (may be on browser or may be at there end I am not sure) and they are refreshing the cookie information whenever a request being made.. I am not sure may be its just a theory.

    Thanks

    Nitesh

    You can try reading the cookie and find whether both the cookie are with same Domain name.. If the junctions are pointing to the same instance with similar config then guess it should work...