Hi Dennis,
There are options available to do what you want here but I don't have any concrete examples so more investigation will be needed.
1) It might be as simple as configuring a logout redirect URL in WAS. In 8.5.5 I found this reference:
To redirect the logout to another URL, navigate to . Locate and open the
console.properties file. To use the redirect feature, modify the
redirect
and
redirectURL
properties. Set the redirect to
true to clear the session and redirect the console to the specified URL when the software performs the logout.
2) You could add a transformation rule in the Reverse Proxy which matches requests to logout.do and simply re-writes them to point to /pkmslogout instead.
3) You could add an ACL in Reverse Proxy which denies access to logout.do page. When user attempts to access they get a Forbidden page. This page could have JavaScript on it which detects it is the logout.do page and redirects to /pkmslogout
4) You could use a snippet filter in Reverse Proxy to rewrite the code on the WAS Console page so that the logout button points to /pkmslogout instead.
Personally I would hope that (1) works. This would be the best option because it would mean WAS is logged out and then Reverse Proxy is logged out. To make this work you might need to redirect to ../../../../pkmslogout to make sure you hit the logout page in Reverse Proxy.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Wed April 21, 2021 06:29 AM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console
I think the problem I am describing is misunderstood, so I will try again.
I have configured single sign on perfectly, using LTPA, and I am able to login to the WAS Deployment manager application perfectly. Zero issue, everything is amazing.
The problem is this:
1. The WAS Deployment manager application has a button in the top right corner called "Logout".
2. I want to click that logout button and get logged out of both the WAS Deployment Manager *and* ISAM, and returned to the ISAM login page
3. Currently, clicking that button points to https://<hostname>/ibm/console/logout.do?csrfid=<10-digit-number> .. and I want it to instead point to https://10.30.10.118/pkmslogout ... I am happy to consider other options, the only essential part is that the logout flow I am looking for starts with clicking the application logout button referenced by point 1 above
4. If I can achieve this, there are options available to clear out other relevant cookies.
Why is this a problem? because it does not feel right that the logout flow is different to the login flow, that it is confusing for a user to be thrown to an unfamiliar login page when they click the logout button
------------------------------
Dennis English
Original Message:
Sent: Wed April 21, 2021 05:14 AM
From: Serge Vereecke
Subject: ISAM integration with WAS Deployment manager/admin console
Hi,
I think the following article describes this problem :https://www.ibm.com/support/pages/programmatically-logout-websphere-application-server-form-logout-and-webseal-pkmslogout
You can also perform https://www.ibm.com/docs/fr/sva/10.0.0?topic=off-configuring-single-signoff but there is note on this on tokes. Also you want a logout from the WAS console, also triggers a logout on ISAM. Unless you have a separate WebSEAL instance you will logout and no longer have SSO
Depends if IHS server is on a managed node or node . If there is a problem with the IHS you might not be able to access your admin console and have to fix first the IHS problem. If you do not deploy IHS, the Appserver has an embedded HTTP server.
Hope this helps
Kind regards
Serge Vereecke
IBM Security
------------------------------
Serge Vereecke
Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console
I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.
1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.
2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!
------------------------------
Dennis English
------------------------------