Configure single signoff

We can enable single signoff in WebSEAL by specifying the URIs that receive the single signoff request. Configure a single-signoff-uri entry in the [acnt-mgt] stanza to reference each single signoff application. This resource cannot be located on a virtual host junction, and provide the server relative URI. For example:

Each time a WebSEAL session is terminated, WebSEAL sends a request to each of the specified URIs. Each request contains the configured headers and cookies for the junction of the specified resource. The single signoff resources are responsible for using this information to terminate any sessions on the back-end servers.

WebSEAL expects to receive a response containing an HTTP status code of 200 OK. If the response contains any other status code, WebSEAL logs an error. You can perform single signoff on multiple junctioned servers. Configure more than one single-sign-off-uri entry to send a request to multiple URIs.

With single-signoff-uri configured, WebSEAL does not send cookies that were sent by the browser to the backend single-signoff-uri. The WebSEAL single-signoff-uri mechanism by design, does not use cookies sent by the client. The design of the mechanism is to only use cookies stored in the WebSEAL cookie jar (managed cookies). This way WebSEAL is able to perform the single sign-off even in cases like a timeout, where there is no logout request from the browser.

Parent topic: Single sign-off

Related concepts