ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

Access Manager and Oracle Application and OID - Redirecting Logout

Absent Member.
Absent Member.
0 0 3,007
0 Likes

When Oracle Enterprise Application server and Oracle Internet Directory are couple together, a specific sequence of URL’s are initiated so that the user is unauthenticated from OID and from the Enterprise Application server. This sequence will invalidate the users session, clear any cookies and such, but the sequence must be exact and becomes very tricky when NAM is placed in front. Generally when a user logs out from an application that is being protected by NAM, the URL /AGLogout is called so that the NAM session is cleared, which works in this case, but calling just /AGLogout does not clear the Oracle sessions. This will cause problems later when the user wants to login again with a different userID as Oracle will see the OID and Enterprise Application server sessions still valid and use that session information instead which will produce the previous userID session instead of the new session.



By using httpfox, a Firefox addon, I was able to determine a URL hidden in the Oracle HTTP content that specifies the final landing page after the user clicks logout. By specifying this URL with a HTML Rewriter rule to be http://protected_resource.domain.com/AGLogout, we can allow Oracle to perform its logout functions and then logout the user from NAM.



Here is the HTML rewriter rule that must be specified in the reverse proxy.



  1. Create a character rule

  2. Specify a string to search for

    1. VALUE="https%3A%2F%2Fserver.domain.com%2FOA_HTML%2FAppsLogin"

  3. Specify a string to replace with

    1. VALUE=https://reverseProxy.domain.com /AGLogout


The string that we are searching for is a string specified in a form that is hidden, but built by OID. So this string needs to be part of the reverse proxy that is protecting OID, not the application server. The URL is encoded as you can see with the %3 and such, I opted not to keep that encoding, but this isn’t required. The URL is actually the URL of the application server (The backend address, not the DNS name that relates to the reverse proxy).





As you can see from the image, Oracle has a form that the browser submits, it’s a hidden form, but the form contains p_done_url and this URL should be rewritten with the /AGLogout url.


Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.