We have configured Single sign on and single log out for 3 applications in same domain.
SSO working fine but we are facing issue with Single Log out.
we have created centralized logout page and added this page URL at each application logout link.
In ACO LogOffUri parameter enabled with central logout page (/logout/logout.html)
Application authentication procedure:
applications have second factor authentication (OTP ):
once user hits the URL siteminder fcc page will appear (configured HTML Authscheme )
User submits credentials on fcc.
application will redirect the user to OTP page based on header value sent by Siteminder
User enter OTP, application will display home page.
Issue we are facing in SLO:
1. I have entered app1 URL. fcc page is displayed.
2. Entered valid credentials, application redirected me to OTP page
3. entered valid OTP. app1 home page got displayed.
4. In new tab Entered app2 url
5. taken to otp page, enter OTP and home page displayed
6. clicked on logout link in app1
7. siteminder session is set to logoff and application session killed.
8. now i tried to access other links in app2, since SM session is logged off, siteminder fcc page.
9. I entered credentials in app2 fcc page, now application displayed page which I was accessing in app2 before logout, Instead of OTP page. since previous application session for app2 is still exist.
Please let me know how we can kill application cookie in browser.
Policy server: 12.52 cr01
Web agent: 126.96.36.199
Add something like this to your logout page.
Response.Cookies("Application Cookie")="DELETED"Response.Cookies("Application Cookie").Expires="May 10, 2001"Response.Cookies("Application Cookie").Domain=".company.com"Response.Cookies("Application Cookie").Path="/"
Thanks for the replay Mike,
is this script for ASP .Net.?
my logout page is simple html page. I tried this script but i am facing problem with executing script.
It's VBScript and probably needs to run on an IIS server.
There is likely a way to do the same thing using another method.
Using java script we cannot delete secure cookies [with parameter Accessible to script is set to No (HttpOnly) ]
I fixed this issue using iframes.
Thanks for your info.