When Oracle Enterprise Application server and Oracle Internet Directory are couple together, a specific sequence of URL’s are initiated so that the user is unauthenticated from OID and from the Enterprise Application server. This sequence will invalidate the users session, clear any cookies and such, but the sequence must be exact and becomes very tricky when NAM is placed in front. Generally when a user logs out from an application that is being protected by NAM, the URL /AGLogout is called so that the NAM session is cleared, which works in this case, but calling just /AGLogout does not clear the Oracle sessions. This will cause problems later when the user wants to login again with a different userID as Oracle will see the OID and Enterprise Application server sessions still valid and use that session information instead which will produce the previous userID session instead of the new session.
By using httpfox, a Firefox addon, I was able to determine a URL hidden in the Oracle HTTP content that specifies the final landing page after the user clicks logout. By specifying this URL with a HTML Rewriter rule to be http://protected_resource.domain.com/AGLogout, we can allow Oracle to perform its logout functions and then logout the user from NAM.
Here is the HTML rewriter rule that must be specified in the reverse proxy.
- Create a character rule
- Specify a string to search for
- Specify a string to replace with
- VALUE=https://reverseProxy.domain.com /AGLogout
The string that we are searching for is a string specified in a form that is hidden, but built by OID. So this string needs to be part of the reverse proxy that is protecting OID, not the application server. The URL is encoded as you can see with the %3 and such, I opted not to keep that encoding, but this isn’t required. The URL is actually the URL of the application server (The backend address, not the DNS name that relates to the reverse proxy).
As you can see from the image, Oracle has a form that the browser submits, it’s a hidden form, but the form contains p_done_url and this URL should be rewritten with the /AGLogout url.
Identity & Access Mgmt