OAM 11g: SSO Logout Not Fully Completed Where Proxy Web Server With Single 11g WebGate Serves Multiple Virtualhosts
Last updated on MARCH 08, 2017
Applies to:Oracle Access Manager - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
Oracle Access Manager (OAM) 11g WebGate has been configured with OAM 11g Server to protect a site.
There is only front-end proxy webserver and WebGate installation. The proxy webserver routes requests for multiple different Fusion MiddleWare (FMW) applications using different virtualhosts, including Oracle Identity Manager (OIM).
OAM SSO login is successful for all virtualhost access.
However if multiple application virtualhosts are accessed during the user / browser session, then SSO logout is only effective for one of the applications / virtualhosts. The 11g WebGate site-specific OAMAuthnCookie is not removed for the other virtualhosts.
Simple test scenario:
1. Access protected application using one virtualhost e.g. https://companya.domain.com
2. User is prompted for OAM login: submit valid credentials.
3. Company A application page is displayed at https://companya.domain.com. An OAMAuthnCookie is set for site companya.domain.com
4. In the same browser session, the user accesses another protected application via the same proxy webserver using a different virtualhost e.g. https://companyb.domain.com
5. Single Sign-On (SSO) occurs - no prompt for login and the Company B application page is displayed at https://companyb.domain.com. An OAMAuthnCookie is set for site companyb.domain.com
6. The user issues a logout request at http://OAMServerHost.domain:Port/oam/server/logout
7. OAM reports result "User logged out successfully".
8. User accesses Company B protected application page again at https://companyb.domain.com - no prompt for login because only the OAMAuthnCookie for companya.domain.com was expired by logout and not the OAMAuthnCookie for companyb.domain.com.
Note that this issue can also cause strange behaviour in an environment where OAM is integrated with OIM and all site access uses the single proxy webserver and WebGate with different virtualhosts for backend applications.
In this case if a first time user logs into the application they will be redirected to OIM first to reset their password and set their Challenge/Response questions. At that point a Level 1 access OAM cookie (OAMAuthnCookie) is set for the user for the OIM virtualhost. After they have reset their password etc they are redirected to the application and a new Level 2 access OAMAuthnCookie is set for the application virtualhost. When logout is performed it is only partially completed - the user is logged out of the application as the Level 2 OAMAuthnCookie for the application virtualhost is expired, but since the Level 1 OAMAuthnCookie for the OIM virtualhost is never expired, the user is still logged into OIM.
Closing the browser / clearing all cookies will ensure that full OAM logout from all sites is completed.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms