Previous Topic: How to Configure Single Sign-OnNext Topic: SSO Security Zones


Comprehensive Log Out

This section contains the following topics:

How Full Logoff Works

Configure Full Logoff

How to Configure Full Logoff for Single Sign-on

Configure Comprehensive Log Out using FCC Forms

How Full Logoff Works

Full logoff support enables a Web developer to make sure that a user is completely logged off from a user session. This protects resources because it gives users a way to end a session without exiting the Web browser and prevents an unauthorized person from assuming control of an open session.

A full logoff uses the following process:

  1. A user clicks a button to log off.
  2. The Web Agent redirects the user to a customized logoff page that you created.
  3. The Web Agent removes the session and authentication cookies from a user’s browser.
  4. The Web Agent also removes the session cookie from the local cookie domain and the cookie provider domain, which you specify for single sign-on environments.
  5. The Web Agent calls the Policy Server and instructs the Policy Server to remove any session information.

    The user is completely logged off.

More information:

Configure Full Logoff Support for Domino Agents

Configure Full Logoff

The full log-out feature uses a custom log-out page that you create with the following parameter:

LogOffUri

Enables the full log-out function by specifying the URI of a custom web page. This custom web page appears to users after they are successfully logged off. Configure this page so that it cannot be stored in a browser cache. Otherwise, a browser could possibly display a log-out page from its cache without logging the user off. If this situation happens, unauthorized users could possibly have an opportunity to assume control of a session.

Note: When the CookiePath parameter is set, the value of the LogOffUri parameter must point to the same cookie path. For example, if the value of your CookiePath parameter is set to example.com, then your LogOffUri must point to example.com/logoff.html

Default: (all agents except the CA SiteMinder® Agent for SharePoint r12.0.3.0) No default

Limits: Multiple URI values permitted. Do not use a fully qualified URL.Use a relative URI.

Example:(all agents except the CA SiteMinder® Agent for SharePoint r12.0.3.0) /Web pages/logoff.html

Follow these steps:

  1. Create a custom HTTP application that logs the user off. For example, add an Exit or Sign Off button that redirects the user to a URL you specify.
  2. Set up the log-out page so it cannot be cached in web browsers. This setting increases security because the page is always served from the web server, and not the cache of the browser. For example, for HTML pages, you can add the following meta tags to the page:
    <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
    
    <META HTTP-EQUIV="Expires" CONTENT="-1">
    

    Important! Some web browsers do not support meta tags. Use a cache-control HTTP header instead.

  3. Configure the LogOffUri parameter with the following steps:
    1. Delete the pound sign (#), if necessary.
    2. Enter the URI of the custom HTTP file that will log the user off. Do not use a fully qualified URL.

      The full log-out feature is configured.

More information:

Specify the Cookie Path for Agent Cookies

How to Configure Full Logoff for Single Sign-on

In a single sign-on environment, the session cookies are removed only from the local cookie domain and the cookie provider domain associated with the Web Agent. For single sign-on across multiple cookie domains, the full log-off feature of CA SiteMinder® does not automatically log a user off across all the cookie domains that the user has visited.

To configure log-offs across multiple cookie domains, use the following process:

  1. Create one centralized log-off page that contains separate frames (or iframes) for the other cookie domains in your SSO environment. These frames can be a small size, such as 1x1 pixels.
  2. For each frame of the centralized log-off page in Step one, add a hyperlink to the Logoff Uri of the associated cookie domain. For example, if you have two other cookie domains, example.org and example.net, you would do the following steps:
  3. Configure the LogoffUri of the cookie provider domain to point to the centralized log-off page. When the web server loads this log off page, the frames in the centralized log-off page call the logoff pages from the other cookie domains. The user is logged off from all the cookie domains at once.

The following illustration shows an example of using a centralized log-off page:

Graphic showing a Centralized Log-Off Page Allowing One Log Off From Multiple Cookie Domains

Note: You can also place the hyperlinks inside <iframe> tags instead of <frame> tags.

Configure Comprehensive Log Out using FCC Forms

If you use FCC forms to authenticate your users, you can configure a comprehensive log out with your FCC form. This method provides an alternative to the LogoffUri parameter.

Follow these steps:

  1. Open the .fcc file that you are using to authenticate your users with a text editor. FCC files are located in the following directory:
    web_agent_home/samples/forms
    
    web_agent_home

    Indicates the directory where the CA SiteMinder® Agent is installed.

    Default (Windows 32-bit installations of CA SiteMinder® Web Agents only): C:\Program Files\CA\webagent

    Default (Windows 64-bit installations [CA SiteMinder® Web Agents for IIS only]): C:\Program Files\CA\webagent\win64

    Default (Windows 32-bit applications operating on 64-bit systems [Wow64 with CA SiteMinder® Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32

    Default (UNIX/Linux installations): /opt/ca/webagent

  2. Add the following text to the top of your FCC page (before the <_html> tag):
    @smlogout=true
    @target=http://server_name.example.com/directory/your_logout_page.html
    

    Note: your_logout_page indicates a custom html page you create to inform users that they have logged out.

    Comprehensive logout using FCC forms is configured.