Layer 7 Access Management

Expand all | Collapse all

How to remove SMSESSION for OIDC user

Jump to Best Answer
  • 1.  How to remove SMSESSION for OIDC user

    Posted 05-12-2019 12:31 AM

    Hello there,


    We are using CA API Gateway OTK 4.3 as OAuth provider, that means when external user tries to log into company ABC app(3rd party/RP), user will be redirected to our OTK for credential validation and generate tokens. However when user enters uid/pwd which will be validated by CA SiteMinder that sets SMSESSION cookie in the browser. 


    Now user clicks log off on third party application and RP calls OAuth token revoke endpoint to invalidate token, however we still see SMSESSION cooke exist in the user browser, because of this user is able to login without entering uid/pwd after log out.


    Any thoughts please to remove SMSESSION cookie from user browser when Relying Party calls OAuth token revoke endpoint?



  • 2.  Re: How to remove SMSESSION for OIDC user
    Best Answer

    Posted 05-24-2019 09:22 AM

    If you are not using a session store, then I think best is to overwrite the SMSESSION cookie with LoggedOff which can be easily done in API Gateway. This will clear the valid session from the browser. However, if the user still has a copied SMSESSION, then he/she can utilize it to login again.