NetIQ Access Manager Custom Logout Pages
NetIQ’s Access Manager (NAM) product is a great tool for controlling single sign-on (SSO) and/or restricted access to multiple applications. As a product it is very configurable and very well documented but with one exception; custom logout pages.
By default the product shows a very bland logout page with a simple message indicating that your session has ended. It isn’t the prettiest page in the world so if you are trying to incorporate Access Manager into some public applications or whatever you may want to find a way to make the logout page fit more with the protected application’s look and feel. Access Manager gives you two options for that; rebranding the NAM pages, i.e. adding logos and custom messages to the default pages, or implementing custom logout pages, i.e. fully developed web pages that display exactly what you what to show.
Now, as the title of this blog suggests we are going to discuss the second option; custom logout pages. The rebranding steps are very well documented in the Access Manager document for the Identity Server (or IDP) so we won’t be going into that here. And while the ability to use custom logout pages is documented in that same document there are a few things that could be noted better and more clearly hence this post.
The first thing you need to know about using custom logout pages is that the custom logout page can be hosted on ANY web server. I actually had one instance of NAM use the IDMWorks homepage as a custom logout page just to show it could be done. So depending on how the customization is being done you can host your custom logout page on the web server provided with the IDP or on any other server accessible from the IDP. And when I say accessible from the IDP I mean the network traffic from the IDP must be able to reach the target server. If the servers are on different networks then the routing and firewalls all have to be configured to allow communication from the IDP server to the target web server. Most often though I see custom logout pages being hosted by the IDP server which simplifies things a bit.
The second thing to keep in mind is that if you host a custom logout page on the IDP server the URL can be relative. There is no need to do a full URL like “https://www.idmworks.com/customlogout.html” if the page is being hosted locally. You can just say “customlogout.html”. The documentation for some of the recent versions of NAM have been a little vague on that point but just in case you were wondering the IDP is smart enough to do relative URLs for local files.
Another good thing to keep in mind is that the IDP know which URL or protected resource the logout action is coming from so if you have more than one protected resource in your NAM configuration you can either use a global custom logout page, i.e. one page for all resources, or you can use a different custom page for various resources. All logout actions go through the same basic process on the IDP server so if you need multiple custom logout pages you can capture the URL of the original resource and apply some scripting logic to the logoutSuccess.jsp page on the IDP server to determine the source and the URL of the appropriate logout page.
The key step in all of this is the redirect code that must be applied to the logoutSuccess.jsp page on the IDP server. The Access Manager documentation does a good job of explaining how this works. Essentially you add the following code to the file replacing everything in thetags of the logoutSuccess.jsp page with the following code:
Of course this logic can be more complex if you are trying to do multiple custom logout pages based on the protected resource but the same concept applies.
The last thing you need to know, and this isn’t documented in the current version of the Access Manager documentation, is that if you update the logoutSuccess.jsp page the changes will NOT take effect until you start Tomcat on the IDP server.
- Linux Identity Server: Enter the following command:
- Windows Identity Server: Enter the following commands:
net stop Tomcat7
net start Tomcat7
Once the IDP Tomcat has been restarted then the redirect logic should work. NetIQ support is aware of this missing step so if you are having issues implementing a custom logout page having missed this step the support team will advise you to do it.