3.9 Customizing Logout Requests

3.9.1 Customizing Applications to Use the Access Gateway Logout Page

If any of your protected resources have a logout page or button, you need to redirect the user’s logout request to the Access Gateway logout page. The Access Gateway can then clear the user’s session and log the user out of any other resources that have been enabled for single sign-on. If you do not redirect the user’s logout request, the user is logged out of one resource, but the user’s session remains active until inactivity closes the session. If the user accesses the resource again before the session is closed, single sign-on reauthenticates the user to the resource, and it appears that the logout did nothing.

  1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.

  2. In the Embedded Service Provider section, view the path to the AGLogout page in the Logout URL option.

    The Logout URL displays the URL that you need to use for logging users out of protected resources. This option is not displayed until you have created at least one reverse proxy with a proxy service. If you create two or more reverse proxies, you can select which one is used for authentication, and the logout URL changes to match the assigned reverse proxy. For more information about how to change the authentication proxy, see Section 7.3.2, Changing the Authentication Proxy Service.

  3. Redirect application logout requests to the AGLogout page.

  4. Click OK.

The Access Gateway does not support the following logout pages that were used in previous version of Access Manager and iChain:

  • /cmd/BM-Logout

  • /cmd/ICSLogout

3.9.2 Customizing the Access Gateway Logout Page

You can create your own logout page and configure the Access Gateway to use it. To do this, you need to modify the logoutSuccess.jsp file on the Access Gateway. It is located in the following directory:

Linux: /opt/novell/nesp/lib/webapp/jsp

Windows: \Program Files\Novell\Tomcat\webapp\nesp\jsp

You can modify the file to display what you want or you can modify it to redirect the user to your custom page. The following sections provide some tips for accomplishing this task:

Modifying the Header

The logoutSuccess.jsp file is called in a frame from the nidp.jsp file. The branding in the header of the logout page is controlled by the branding of the nidp.jsp file. For information about how to modify nidp.jsp for logos, titles, and colors, see Rebranding the Header in the NetIQ Access Manager 4.0 SP1 Identity Server Guide.

IMPORTANT:Take a backup of nidp.jsp file before modifications. Every time you upgrade your Access Gateway, upgrade process overrides any custom changes made to JSP files that use the same filename as those included with the product. If you want the modified file, you need to restore the nidp.jsp file. During an upgrade, you can select to restore custom login pages, but NetIQ still recommends that you have your own backup of any customized files.

Redirecting to Your Custom Page

One way to provide redirection is to replace the information in the <body> element of the logoutSuccess.jsp file with something similar to the following:

<body> 
      <script language="JavaScript"> 
        top.location.href='http://<hostname/path>'; 
      </script>     
</body>

Replace the <hostname/path> string with the location of your customized logout page.

IMPORTANT:Take a backup of logoutSuccess.jsp file before modifications. Every time you upgrade your Access Gateway, upgrade process overrides any custom changes made to JSP files that use the same filename as those included with the product. If you want the modified file, you need to restore the nidp.jsp file. During an upgrade, you can select to restore custom login pages, but NetIQ still recommends that you have your own backup of any customized files

Calling Different Logout Pages

If you need to use a different logout page for specific protected resources, you need to modify the logout button of the applications to use the plogout URL rather that the AGLogout URL (see Section 3.9.1, Customizing Applications to Use the Access Gateway Logout Page). The AGLogout page redirects to the plogout page, which calls the logoutSuccess.jsp. Any parameter added to the AGLogout or plogout URL is saved and passed to the logoutSuccess.jsp file.

The parameter passed to the logoutSuccess.jsp file can be used with if/else logic in the body of the page to load different custom logout pages based on the parameter value.

To use the plogout URL, you need to modify the application’s logout button to call the following URL:

<ESP Domain>/nesp/app/plogout

Replace <ESP Domain> with the same value as the AGLogout value. For example, suppose your AGLogout value is the following:

https://jwilson1.provo.novell.com:443/AGLogout

You would replace it with the following value:

https://jwilson1.provo.novell.com:443/nesp/app/plogout

If you add a parameter to the URL, it would look similar to the following:

https://jwilson1.provo.novell.com:443/nesp/app/plogout?app=email

Logging Out of Sessions to the Access Gateway and SAML Connectors when Branding Exists in the Customized Logout Page

When you have both Liberty and SAML 2.0 sessions running on the Identity Server and you log out of the Access Gateway, the logoutSuccess.jsp page is not executed with the customizations you have made to the logout page. You will be able to log out of the Access Gateway but the customizations you made are lost.

If the logutSuccess.jsp file is not loaded in a frame, the banner will not be displayed, and the Access Gateway will comment out the content in the logoutSuccess.jsp file. Add the below line after the <body> tag in the logoutSuccess.jsp file.

<!-- BANNER LOADS IF THIS PAGE IS NOT LOADED IN REGULAR FRAME -->
<%@include file="logoutHeader.jsp"%>

3.9.3 Configuring the Logout Disconnect Interval

When a user clicks the logout button and the user is logging out of an Access Gateway that is a member of a cluster, the user is not immediately disconnected from the resource. The logout message must be sent to each member of the cluster. The default interval for checking the pending logout message queue is 30 seconds. If this interval is too long, you can configure a shorter interval in the web.xml file of the Embedded Service Provider. This must be set on each Access Gateway in the cluster.

  1. Log in to the Access Gateway as the root or administrator user.

  2. Open the web.xml.

    Linux: /opt/novell/nesp/lib/webapps/WEB-INF/web.xml

    Windows: /Program Files/Novell/nesp/lib/webapps/WEB-INF/web.xml

  3. Find the <context-param> section in the file.

  4. Add the following parameter to the <context-param> section.

    <context-param>
        <param-name>logoutRetirementFrequency</param-name>
        <param-value>15000</param-value>
    </context-param>
    
  5. Set the <param-value> element to a value between 5000 and 30000 milliseconds (5 seconds and 30 seconds).

  6. Restart the Embedded Service Provider.

    For information about how to restart the Embedded Service Provider from the Administration Console, see Section 3.3, Managing Access Gateways.