Configure the Liberty profile server to track logged out LTPA tokens

Configure the Liberty profile server to track logged out LTPA tokens

We can configure a Liberty profile server to track logged out Lightweight Third Party Authentication (LTPA) tokens.

When a user is logged out using either form logout or programmatic logout, the LTPA token used for Single Sign On is removed from the cookie. The LTPA token used for SSO is also removed from the local Authentication cache and the session is invalidated. If the token was persisted and presented again, it is validated based on the expiration time and the LTPA encryption keys.
With this element enabled, the LTPA SSO tokens that were logged out are tracked and if presented again are not used. A logout is performed and the user needs to authenticate again.

To track the tokens that are logged out on a particular Liberty profile server, we can enable the following element in the server.xml:
<webAppSecurity trackLoggedOutSSOCookies="true"/>

When this element is enabled, it might affect the Single Sign On (SSO) scenarios. For example, if the user 'bob' logs in from multiple browsers to the same server and logs out from one browser and tries to access the resource using another browser, the user must log in as the token presented is discarded.

Parent topic: Configure web security related properties