Comprehensive Log Out

This content describes how to configure comprehensive log out.
sm1252sp1
This content describes how to configure comprehensive log out.
How Full Logoff Works
Full logoff support enables a Web developer to make sure that a user is completely logged off from a user session. This protects resources because it gives users a way to end a session without exiting the Web browser and prevents an unauthorized person from assuming control of an open session.
A full logoff uses the following process:
  1. A user clicks a button to log off.
  2. The Web Agent redirects the user to a customized logoff page that you created.
  3. The Web Agent removes the session and authentication cookies from a user’s browser.
  4. The Web Agent also removes the session cookie from the local cookie domain and the cookie provider domain, which you specify for single sign-on environments.
  5. The Web Agent calls the Policy Server and instructs the Policy Server to remove any session information.
    The user is completely logged off.
Configure Full Logoff
The full log-out feature uses a custom log-out page that you create with the following parameter:
LogOffUri
Enables the full log-out function by specifying the URI of a custom web page. This custom web page appears to users after they are successfully logged off. Configure this page so that it cannot be stored in a browser cache. Otherwise, a browser could possibly display a log-out page from its cache without logging the user off. If this situation happens, unauthorized users could possibly have an opportunity to assume control of a session.
When the CookiePath parameter is set, the value of the LogOffUri parameter must point to the same cookie path. For example, if the value of your CookiePath parameter is set to example.com, then your LogOffUri must point to example.com/logoff.html
Default:
(all agents
except
the
CA Single Sign-On
Agent for SharePoint r12.0.3.0) No default
Limits:
Multiple URI values permitted.Do
not
use a fully qualified URL.Use a
relative
URI.
Example:
(all agents
except
the
CA Single Sign-On
Agent for SharePoint r12.0.3.0) /Web pages/logoff.html
Follow these steps:
  1. Create a custom HTTP application that logs the user off. For example, add an Exit or Sign Off button that redirects the user to a URL you specify.
  2. Set up the log-out page so it cannot be cached in web browsers. This setting increases security because the page is always served from the web server, and not the cache of the browser. For example, for HTML pages, you can add the following meta tags to the page:
    < META HTTP-EQUIV="Pragma" CONTENT="no-cache">
    < META HTTP-EQUIV="Expires" CONTENT="-1">
    Some web browsers do
    not
    support meta tags. Use a cache-control HTTP header instead.
  3. Configure the LogOffUri parameter with the following steps:
    1. Delete the pound sign (#), if necessary.
    2. Enter the URI of the custom HTTP file that will log the user off. Do
      not
      usea fully qualified URL.
      Example
      : /logoff.htm
The full log-out feature is configured.
How to Configure Full Logoff for Single Sign-on
In a single sign-on environment, the session cookies are removed only from the local cookie domain and the cookie provider domain associated with the Web Agent. For single sign-on across multiple cookie domains, the full log-off feature of
CA Single Sign-On
does
not automatically
log a user off across all the cookie domains that the user has visited.
To configure log-offs across multiple cookie domains, use the following process:
  1. Create one centralized log-off page that contains separate frames (or iframes) for the other cookie domains in your SSO environment. These frames can be a small size, such as 1x1 pixels.
  2. For each frame of the centralized log-off page in Step one, add a hyperlink to the Logoff Uri of the associated cookie domain. For example, if you have two other cookie domains, example.org and example.net, you would do the following steps:
    • Add a hyperlink to the Logoff Uri of example.org to one frame.
    • Add a hyperlink to the Logoff Uri of example.net to the other frame.
  3. Configure the LogoffUri of the cookie provider domain to point to the centralized log-off page. When the web server loads this log off page, the frames in the centralized log-off page call the logoff pages from the other cookie domains. The user is logged off from all the cookie domains at once.
The following illustration shows an example of the use of a centralized log-off page:
Logoff from multiple cookie domains using page with frames
Logoff from multiple cookie domains using page with frames
You can also place the hyperlinks inside <iframe> tags instead of <frame> tags.
Configure Comprehensive Log Out using FCC Forms
If you use FCC forms to authenticate your users, you can configure a comprehensive log out with your FCC form. This method provides an alternative to the LogoffUri parameter.
Note
: Do not set FCC forms such as msrlogout.FCC to LogoffUri.
Follow these steps:
  1. Open the .fcc file that you are using to authenticate your users with a text editor. FCC files are located in the following directory:
    web_agent_home
    /samples/forms
    • web_agent_home
      Indicates the directory where the agent is installed.
      Default
      (Windows 32-bit installations of Web Agents only): C:\Program Files\CA\webagent
      Default
      (Windows 64-bit installations [Web Agents for IIS only]): C:\Program Files\CA\webagent\win64
      Default
      (Windows 32-bit applications operating on 64-bit systems [Wow64 with Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32
      Default
      (UNIX/Linux installations): /opt/ca/webagent
  2. Add the following text to the top of your FCC page (before the <_html> tag):
    @smlogout=true @target=http://server_name.example.com/directory/your_logout_page.html
    your_logout_page
    indicates a custom html page you create to inform users that they have logged out.
    Comprehensive logout using FCC forms is configured.