Overview of the single sign-off functionality
We can configure WebSEAL to send HTTP requests to predefined applications when a session is terminated. The applications that receive these requests can then terminate any associated sessions that are located on junctioned backend servers.
When a session is ended, WebSEAL deletes the session and the session data that it manages. WebSEAL cannot control sessions created and managed by backend applications. This situation results in backend server sessions remaining active after the corresponding WebSEAL session is terminated. WebSEAL provides a mechanism to remove sessions on backend servers when a session ends in WebSEAL.
To achieve single signoff, WebSEAL sends a request to configured single signoff URIs whenever a WebSEAL session is destroyed. Using the information provided in the request, applications on the backend servers can terminate the stale sessions.
There are four different mechanisms that can terminate a WebSEAL session:
- User request by accessing pkmslogout.
- Session timeout.
- EAI session termination command.
- Session terminate command from the pdadmin tool.
Using this feature in a distributed session cache environment generates a separate signoff request from each WebSEAL server containing the terminated session. Therefore, the single signoff application in a distributed session cache environment must handle multiple signoff requests for a single session - one per WebSEAL server.
Parent topic: Single sign-off
Related concepts
Related tasks