Integrating with Third-Party Identity and Access Management Modules 10-27 3. Optionally specify on the HttpServletRequest the attribute referenced by oracle.security.fed.sessionid that will hold the identifier of the user session being logged out String object When the authenticationSP engine logs the user out, and internally forwards the user back to Oracle Identity Federation, it: 1. Performs an internal forward to the fed web context and userlogoutretsso 2. Specifies the engine ID of the invoked engine on the HttpServletRequest the attribute referenced by oracle.security.fed.authn.engineid if the engine is an authentication engine or oracle.security.fed.sp.engineid if the engine is an SP engine, and that attribute value is the identifier of the engine that performed the logout operation AuthnSP invokes Oracle Identity Federation When an authenticationSP engine invokes Oracle Identity Federation for logout, it: 1. Performs an internal forward to the fed web context and userlogoutsso 2. Specifies the engine ID of the invoked engine on the HttpServletRequest the attribute referenced by oracle.security.fed.authn.engineid if the engine is an authentication engine or oracle.security.fed.sp.engineid if the engine is an SP engine, and that attribute value is the identifier of the engine being invoked for logout 3. Specifies a return URL where Oracle Identity Federation redirects the user after logout. That URL is specified via HttpServletRequest attribute, referenced by oracle.security.fed.logout.returnurl. At the end of the logout flow, the user is logged out from Oracle Identity Federation and redirected to the return URL.

10.5.2 Sample Logout Services

In the next two sections, these scenarios of logout services are outlined: ■ Logout Service Example 1 describes a custom logout service when both the authentication and SP integration engines are customized ■ Logout Service Example 2 describes a custom logout service when only the SP integration engine is customized

10.5.3 Logout Service Example 1

This section describes how to integrate a custom logout service, assuming that both the authentication and SP integration engines have been customized, that is, the default engines are not used anymore. Setup In this example, the authentication engine is the LDAP engine described in Section 10.3, Creating a Custom Authentication Engine , and the SP integration engine is the Oracle WebLogic Server integration engine described in Section 10.4.4, Sample Integration Module 1: Oracle WebLogic Server JavaEE Container Integration . Packaging The logout service consists of a JSP page bundled with the authentication and SP integration engines: 10-28 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ logout.jsp, which processes the request from Oracle Identity Federation, remove the feduserid attribute from the HttpSession object, set in the wlsintegration.jsp page, and redirect the user to either Oracle Identity Federation or the doneURL parameter. Updating the Engine To update the engine: 1. Go to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

2. Navigate to Administration, then SP Integration Modules. Click the Custom SP

Engine tab. 3. To modify an SP integration engine, select it and: ■ Enable logout engine ■ Set logout.jsp as the Logout Relative Path of the SP integration engine 4. Save your changes. Implementation of logout.jsp page buffer=5 autoFlush=true session=false page language=java import=java.net. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; request.getSession.removeAttributefeduserid; request.setAttributeoracle.security.fed.sp.engineid, TEST_ENGINE_ID; request.getSession.getServletContext.getContextfed.getRequestDispatcher userlogoutretsso.forwardrequest, response;

10.5.4 Logout Service Example 2

This section describes how to integrate a custom logout service, assuming that the SP integration engine has been customized. Setup In this example, the SP integration engine is the customized SSO integration engine described in Section 10.4.5, Sample Integration Module 2: Customized Single Sign-On Integration . Packaging The logout service consists of a JSP page bundled with the authentication and SP integration engines: ■ domainlogout.jsp, which processes the request from Oracle Identity Federation, removes the cookie, and redirects the user to the logoutretsso URL. See Also: Section 5.16, Configuring SP Integration Modules Integrating with Third-Party Identity and Access Management Modules 10-29 Updating the Engine To update the engine: 1. Go to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

2. Navigate to Administration, then SP Integration Modules .

3. To modify the SP integration engine, select it and: ■ Enable logout engine ■ Set domainlogout.jsp as the Logout Relative Path of the SP integration engine 4. Save your changes. Implementation of domainlogout.jsp page buffer=5 autoFlush=true session=false page language=java import=java.net. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; Cookie cookie = new Cookiespintegrationcookie, ; cookie.setDomain.us.oracle.com; cookie.setPath; cookie.setMaxAge0; response.addCookiecookie; request.setAttributeoracle.security.fed.sp.engineid, TEST_ENGINE_ID; request.getSession.getServletContext.getContextfed.getRequestDispatcher userlogoutretsso.forwardrequest, response; See Also: Section 5.16, Configuring SP Integration Modules