« Agents Belong with... | Main | A Look at Enabling... »
Tuesday Sep 22, 2009

A Good Morning for Single Logout Between Identity Manager and OpenSSO

This entry describe how to configure single logout between Identity Manager 8.1.0.5 (to be released sometime in October) and OpenSSO Enterprise 8.0. In the Identity Manager WAR, /idm is the base context of the deployment and thus the admnistrator area; /idm/user is the user area. You should be able to do the following:

  • If logged out of the administration area, the person should be redirected to the same upon re-login.
  • If logged out of the user area, the person should be redirected to the same upon re-login.
A policy agent protecting Identity Manager protects both areas and the agent's OpenSSO profile needs to be configured to allow for the separate functions. This first procedure illustrates how to configure OpenSSO.
  1. Log in to the OpenSSO administration console as the administrator.
  2. Click the Access Control tab.
  3. Click the appropriate realm name and navigate to the agent profile for the policy agent that protects Identity Manager.
  4. Under the agent profile, click the Application tab.
  5. Click Logout Processing.
  6. Add the following map keys and values to the Application Logout URI property:
    • idm=/idm/logout.jsp
    • idm/user=/idm/user/userLogout.jsp
  7. Add the following map and key values to the Logout Entry URI property:
    • idm=/idm
    • idm/user=/idm/user
  8. Click Save.
  9. Log out of OpenSSO.
These properties are hot-swappable in that they do not require a restart of OpenSSO to take effect. This second procedure illustrates how to test the configuration.
  1. Log into Identity Manager.
  2. In the Identity Manager application window, click Logout IDM.
    This should log you out of both Identity Manager and OpenSSO and then redirect you back to the OpenSSO login page.
  3. Log in to OpenSSO.
    You should be redirected to the specific Identity Manager administrator or user profile.
I watched the movie version of the musical Hair last night and remembered what a wonderful, vibrant motion picture that it is. Here is Good Morning Starshine as sung by Beverly D'Angelo who, for Entourage fans, played Mandy Moore's agent.

Posted at 09:34AM Sep 22, 2009 by Michael Teger in Sun  |  Comments[4]

Comments:

Thanks for the post; however, using OpenSSO 8.0 Update 1 patch 1 and J2EE agent 3.0 for WebLogic 10, only the first entry in the Application Logout URI is checked because the agent log files show that only the first URL in the Application Logout URI list is compared with the requested URI.
Thanks.

Posted by Bijan Vakili on September 24, 2009 at 04:04 PM PDT #

Thanks Bijan. I should have mentioned that this is pertinent to 8.0 and the configurations might have slight differences for the Express or Update builds. I'm glad you got it to work.

Posted by Michael Teger on September 24, 2009 at 04:14 PM PDT #

Actually the agent is not logging out the user when user goes to the second URI, e.g. [idm host url]/idm/user/userLogout.jsp, because I have [idm host url]/idm/logout.jsp as the first entry in the Application Logout URI.
Thanks.

Posted by Bijan Vakili on September 24, 2009 at 04:18 PM PDT #

Ok, my bad DocTeger because the URI entry I had there was incorrect.

I had to add the following mappings for it to work:
[idm/user/star]=/idm/user/userLogout.jsp?*
[idm/star]=/idm/logout.jsp?*

Thanks for the post!

Posted by Bi Va on October 15, 2009 at 04:24 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed