Configuring the Liberty server to track logged out LTPA tokens

You can configure a Liberty server to track logged out Lightweight Third Party Authentication (LTPA) tokens.

About this task

Open Liberty In version 22.0.0.11 and later, documentation for tracking logged-out cookies, including the distributed logged-out cookie cache, is available on the Open Liberty website.

When a user is logged out by using either form logout or programmatic logout, the LTPA token that is used for Single Sign On is removed from the cookie. The LTPA token that is used for SSO is also removed from the local Authentication cache and the session is invalidated. If the token was persisted and presented again, it is validated based on the expiration time and the LTPA encryption keys.

With this element enabled, the LTPA SSO tokens that were logged out on the server are tracked and if presented again on the same server are not used.. A logout is performed and the user needs to authenticate again.

This configuration only works on the same server. This means that the LTPA token can only be tracked on the server where the user logged out, and if that same LTPA token is presented to another server it is used and if the LTPA keys are shared and the token has not expired it is used until it is also logged out on that server.

Procedure

To track the tokens that are logged out on a particular Liberty server, you can enable the following element in the server.xml: 
<webAppSecurity trackLoggedOutSSOCookies="true"/>

When this element is enabled, it might affect your Single Sign On (SSO) scenarios. For example, if the user 'bob' logs in from multiple browsers to the same server and logs out from one browser and tries to access the resource by using another browser, the user must log in as the token presented is discarded.