Agent for SharePoint Guide › Advanced Configuration Options › Configure Single Logout on SharePoint 2010

Configure Single Logout on SharePoint 2010

Users who visit multiple websites that the protects have a Fedauth browser cookie for each website. Configuring the single logout verifies that these Fedauth cookies are removed from the browser of the user upon logout.

Follow these steps:

1. Verify that the server hosting your contains the proper files.
2. Edit the file of each web front-end (WFE) server in your SharePoint environment.
3. Open the Administrative UI, and then perform the following tasks:
   1. Make your sessions persistent.
   2. Leave the cleanup URL unprotected.
   3. Leave the sign-out service URL unprotected.
   4. Leave the confirmation page unprotected.
4. Enable single logout by running the SharePoint Connection wizard.

Verify the Server Hosting Your CA SiteMinder® Agent for SharePoint Has the Proper Files

As an agent owner who is responsible for running the server hosting the CA SiteMinder® Agent for SharePoint, verify that the server contains the correct .jsp file. This step is the first step in configuring the single log-out feature.

Follow these steps:

1. Log in to the system hosting your CA SiteMinder® Agent for SharePoint.
2. Navigate to the following directory:

   Agent-for-SharePoint_Home\Tomcat\webapps\affwebservices\public
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder® Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

3. Verify that the following files exist:
   • signoutconfirmurl.jsp
   • spsignoutconfirmurl.jsp

   Note: If the previous file does not exist, verify that the proper version of the CA SiteMinder® Agent for SharePoint is installed on your server.

   The presence of the proper file is verified. Have your SharePoint administrator continue with the next step of editing the files on your web front-end (WFE) servers.

Edit the File of Each Web Front-End (WFE) Server in Your SharePoint Environment

As a SharePoint administrator who is responsible for running the SharePoint environment, edit the Welcome.ascx file on your WFE servers. Editing the file replaces the SharePoint signout URL with the URL of the <stmdnr> signout page. This step is the next step in configuring the single logout feature.

Follow these steps:

1. Log in to your WFE server.
2. Make a backup copy of the following file:

   %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\CONTROLTEMPLATES\Welcome.ascx
   

3. Open the original version of the Welcome.ascx file with a text editor:

   Important! Do not use Notepad, Wordpad (or any other text editor with line-length limitations) to edit the .config (XML) files. A text editor that is designed for writing programming source code typically does not have such line-length limitations. For more information, see the documentation or online help for your respective editor.

4. Locate the following line:

   <SharePoint:MenuItemTemplate runat="server" id="ID_Logout"
   

5. Change ID_Logout to ID_Logout2, as shown in the following example:

   <SharePoint:MenuItemTemplate runat="server" id="ID_Logout2"
   

6. Locate the following line:

   UseShortID="true"
   

7. Add a line following the previous line (shown in Step 6).
8. Add the following settings to the new line:

   ClientonClickNavigateurl="http://example.com/affwebservices/public/wsfedsignout?wa=wsignout1.0"
   

9. Replace the example.com text in the previous line with the domain of your SharePoint web application. For example, if the domain of your SharePoint web application is support.example.com, then the text in Step 8 would resemble the following example:

   ClientonClickNavigateurl="http://support.example.com/affwebservices/public/wsfedsignout?wa=wsignout1.0"
   

10. Save the file and close the text editor.
11. Restart the Internet Information Services (IIS) on your WFE server.
12. Repeat Steps 1 through 11 on all of your WFE servers.

    The files of each WFE servers are edited. Have your policy administrator perform the next steps by opening the Administrative UI.

Change the Policy Server Objects

Change the objects on your Policy Server by opening the Administrative UI.

Follow these steps:

1. Open the following URL in a browser.

   https://host_name:8443/iam/siteminder/adminui
   

   host_name

   Specifies the fully qualified Administrative UI host system name.

2. Enter your CA SiteMinder® superuser name in the User Name field.
3. Enter the CA SiteMinder® superuser account password in the Password field.

   Note: If your superuser account password contains dollar‑sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the CA SiteMinder® superuser account password is $password, enter $DOLLAR$password in the Password field.

4. Verify that the proper server name or IP address appears in the Server drop-down list.
5. Select Log In.

Make Your Sessions Persistent

As a policy administrator who manages the polices on the Policy Server, the next step in configuring single logout is making your sessions persistent.

Follow these steps:

1. Pick the appropriate procedure for your type of policy from the following list:
   • If you use policy domains, go to Step 2.
   • If you use application policies (EPM), go to Step 4.
2. Make the sessions in your policy domain persistent with the following steps:
   1. Click Policies, Domain, Realms.
   2. Click the edit icon of the realm that protects your SharePoint web applications.
   3. Click the Persistent option button (in the Session section).
   4. Click Submit.
3. Repeat Steps 2a through 2d for any other policy domains on which you want to configure single logout.
4. Make the sessions in your application policy (EPM) persistent with the following steps:
   1. Click Policies, Application, Applications.
   2. Click the edit icon of the application that protects your SharePoint web applications.
   3. Verify that the General tab is selected, and then click Advanced Settings...
   4. Click the Persistent option button (in the Session section).
   5. Click OK.
   6. Click Submit.
5. Repeat Steps 4a through 4f for any other policy applications (EPM) on which you want to configure single logout.

   The sessions are persistent. Have your policy administrator continue with the next step of leaving the cleanup URL unprotected.

Leave the Clean Up URL Unprotected

As a policy administrator who manages the polices on the Policy Server, the next step in configuring single logout is leaving the cleanup URL unprotected.

Leaving the cleanup URL unprotected prevents a security challenge from appearing during the single logout process.

Follow these steps:

1. Pick the appropriate procedure for your type of policy from the following list:
   • If you use policy domains, go to Step 2.
   • If you use application policies (EPM), go to Step 4.
2. Leave the cleanup URL unprotected in your policy domain with the following steps:
   1. Click Policies, Domain, Realms.
   2. Click Create Realm
   3. Verify that the domain with your SharePoint web applications is selected and then click Next.
   4. Enter a name and optional description for the new realm.
   5. Click the Lookup Agent/Agent Group button, and then add the agent object that protects your SharePoint web applications.
   6. Click the resource filter field, and then add the following text:

      _trust?wa=wsignoutcleanup1.0
      

   7. Click the Unprotected option button.
   8. Click Finish.
3. Repeat Steps 2a through 2h for each policy domain protecting your SharePoint web applications.
4. Leave the cleanup URL unprotected in your application policy (EPM) with the following steps:
   1. Click Policies, Application, Applications.
   2. Click the edit icon of the application that protects your SharePoint web applications.
   3. Verify that the General tab is selected, and then click Create Component.
   4. Enter a name for the component.
   5. Click the Lookup Agent/Agent Group button, and then add the agent object that protects your SharePoint web applications.
   6. Click the resource filter field, and then add the following text:

      _trust?wa=wsignoutcleanup1.0
      

   7. Click the Unprotected option button.
   8. Click OK.
   9. Click Submit.
5. Repeat Steps 4a through 4i for each application policy (EPM) protecting your SharePoint web applications.

   The cleanup URLs are unprotected. Have your policy administrator continue with the next step of leaving the sign-out service URL unprotected.

Leave the Sign-out Service URL Unprotected

As a policy administrator who manages the polices on the Policy Server, the next step in configuring single logout is leaving the sign-out service URL unprotected.

Leaving the sign-out service URL unprotected prevents a security challenge from appearing during the single logout process.

Follow these steps:

1. Click Infrastructure, Agent, Agent Groups.
2. Select the FederationWebServicesAgentGroup name in the agent groups list and click Modify.
3. Click Add/Remove.
4. Select the agent you want to add to the agent group from the list of Available Members, and click the right-facing arrows.
5. Click OK, Submit.
6. Click Policies, Domain.
7. Select FederationWebServicesDomain, and click Modify.
8. Click Realms.
9. Select the public realm and click Modify.
10. Ensure that the Unprotected option is selected in the Default Resource Protection field. If not, select the Unprotected option.
11. Click the Resource Filter field and add the following text:

    /affwebservices/public/wsfedsignout?wa=wsignout1.0
    

12. Click Finish.
13. Repeat Steps 1 through 12 for each policy domain or application policy (EPM) protecting your SharePoint web applications.

    The sign-out service URLs are unprotected. Have your policy administrator continue with the next step of leaving the confirmation URL unprotected.

Leave the Confirmation Page Unprotected

As a policy administrator who manages the polices on the Policy Server, the next step in configuring single logout is leaving the confirmation page unprotected.

Leaving the confirmation page unprotected prevents a security challenge from appearing during the single logout process.

Follow these steps:

1. Pick the appropriate procedure for your type of policy from the following list:
   • If you use policy domains, go to Step 2.
   • If you use application policies (EPM), go to Step 4.
2. Leave the confirmation page unprotected in your policy domain with the following steps:
   1. Click Policies, Domain, Realms.
   2. Click Create Realm
   3. Verify that the domain with your SharePoint web applications is selected and then click Next.
   4. Enter a name and optional description for the new realm.
   5. Click the Lookup Agent/Agent Group button, and then add the agent object that protects your SharePoint web applications.
   6. Click the resource filter field, and then add the following text:

      affwebservices/public/spsignoutconfirmurl.jsp
      

   7. Click the Unprotected option button.
   8. Click Finish.
3. Repeat Steps 2a through 2h for each policy domain protecting your SharePoint web applications.
4. Leave the confirmation page unprotected in your application policy (EPM) with the following steps:
   1. Click Policies, Application, Applications.
   2. Click the edit icon of the application that protects your SharePoint web applications.
   3. Verify that the General tab is selected, and then click Create Component.
   4. Enter a name for the component.
   5. Click the Lookup Agent/Agent Group button, and then add the agent object that protects your SharePoint web applications.
   6. Click the resource filter field, and then add the following text:

      affwebservices/public/spsignoutconfirmurl.jsp
      

   7. Click the Unprotected option button.
   8. Click OK.
   9. Click Submit.
5. Repeat Steps 4a through 4i for each application policy (EPM) protecting your SharePoint web applications.

   The confirmation pages are unprotected. Have your SharePoint administrator continue with the next step of enabling single logout by running the SharePoint connection wizard.
   

Enable Single Logout by Running the SharePoint Connection Wizard

As an agent owner who is responsible for running the server hosting the CA SiteMinder® Agent for SharePoint, run the SharePoint connection wizard to finish enabling single logout.

Follow these steps:

1. Edit the existing connection using the Connection Wizard with the following steps:
   1. Log in to the server that runs your CA SiteMinder® Agent for SharePoint.
   2. Navigate to the following directory:

      Agent-for-SharePoint_home/sharepoint_connection_wizard
      

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder® Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

   1. Do the appropriate step for your operating environment:
      • Windows: Right-click the executable and then pick Run as administrator.
      • Solaris: sh ./ca-spconnect-version_number-sol.bin
      • Linux: sh ./ca-spconnect-version_number-rhel30.bin

      The SharePoint Connection wizard starts.

   2. Click Next.

      The Login Details screen appears.

   3. Enter the following login for the Policy Server.

      Policy Server Name

      Specifies the Policy Server name or IP address.

      Username

      Specifies the Policy Server administrator username.

      Password

      Specifies the Policy Server administrator password.

      Agent Name

      Specifies the Agent-4x. The connection with the Policy Server is established using the details that are given in the Agent Name.

      Shared Secret Key

      Specifies the shared secret key that is associated with the Agent.

   4. Click Next

      The Select Action screen appears.

   5. Select Edit a SharePoint Connection option.
   6. Click Next.

      The SharePoint Connection Properties screen appears.

   7. Click through the wizard until you reach the Single Logout Configuration screen.
   8. Select the Enabled SignOut check box.
   9. Click the CleanUp URL field and then type the cleanup URLs from all of your protected web applications.

      Note: Separate multiple URLs with semi-colons.

      Use the following example as a guide:

      http://SharePoint_web_application_one_page_URL/_trust?wa=wsignoutcleanup1.0;http://SharePoint_web_application_two_page_URL/_trust?wa=wsignoutcleanup1.0
      

   10. Click the Confirm URL field and type a single confirmation page URL. Use the following example as a guide:

       http://SharePoint_web_application_one_page_URL/affwebservices/public/spsignoutconfirmurl.jsp
       

       Note: If you have multiple public web applications. SharePoint_web_application_one_URL can be the fully qualified domain that is named of any of those applications.

       For example, if you have the following public SharePoint URLs: http://marketing.example.com and http://developers.example.com, SharePoint_web_application_one_page_URL can be http://marketing.example.com or http://developers.example.com.

   11. Click through the wizard until the Commit Details screen appears.
   12. Click Install.

       The Save Complete screen appears.

   13. Click Done.

   The SharePoint connection wizard closes. Single logout is enabled.