Use of /pkmslogout with virtual host junctions
Policies can be attached to pkmslogout, but WebSEAL does not always apply the policies.
For example, if a user authenticated to WebSEAL and tries to access pkmslogout, the pkmslogout page ends the user session without an authorization check. ACL policies are not applied to such requests. However, if a user has not authenticated to WebSEAL and tries to access pkmslogout, the request is treated as a normal request. WebSEAL conducts an authorization check.
If the authorization check fails, the request proceeds as a normal authorization failure. In the default WebSEAL configuration, the user is prompted to login.
If the authorization check passes, WebSEAL attempts to retrieve an object called /pkmslogout from the root junction, and this typically results in a 404 Not Found response from WebSEAL.
The allow-unauthenticated-logout option in the [acnt-mgmt] stanza determines whether unauthenticated users are able to request the pkmslogout resource without authenticating first. If set to yes, WebSEAL behaves in the same manner Whether the user logging out is authenticated or unauthenticated. There are several methods to achieve single logout using Security Verify Access. One method is to embed <IMG> or <IFRAME> HTML tags in a logout page so the browser simultaneously logs the user out of multiple servers when the page is viewed. For example, the following HTML tags send requests to /pkmslogout on three different virtual hosts:
<img src="https://www.example.com/pkmslogout" height="0" width="0"> <img src="https://sales.example.com/pkmslogout" height="0" width="0"> <img src="https://accts.example.com/pkmslogout" height="0" width="0">
If this technique is used for single logout, it can be beneficial to either attach ACLs to /pkmslogout or to use the [acnt-mgmt] allow-unauthenticated-logout option to control WebSEAL behavior. For more information about the allow-unauthenticated-logout option, see allow-unauthenticated-logout.
Parent topic: Advanced junction configuration
Related concepts
- Mutually authenticated SSL junctions
- TCP and SSL proxy junctions
- WebSEAL-to-WebSEAL junctions over SSL
- Stateful junctions
- Junction throttling
- Management of cookies
- Passing of session cookies to junctioned portal servers
- Support for URLs as not case-sensitive
- Junctions to Windows file systems
- Standard junctions to virtual hosts
- UTF-8 encoding for HTTP header data
- WebSockets
Related tasks