Logout From Custom Authentication Module

This topic contains 6 replies, has 2 voices, and was last updated by  rasarkar 9 months, 1 week ago.

  • Author
  • #19115

    Hi Team,

    We have two authentication chains. The first one consists of 2 AD modules. First one is set to sufficient and second one is set to required, because the user will reside in any one of the AD instances. After the user has authenticated the user needs to go through Adaptive check and if needed through HOTP as well. We are tweaking the HOTP module code to meet certain goals. This second chain contains these two modules. This chain is invoked from Authorization policy.

    The problem that we are facing is – As the user is authenticated against AD the session still remains active even when the adaptive and HOTP fails. Though the user is not able to access the resource because of the authorization policy, but the session is not destroyed.

    Can we tweak the HOTP module code in such a way that the session is destroyed if the HOTP module authentication fails or the chain fails? Can we add ascripted authentication module that can do the logout for us? Can we do a logout from a post authentication plugin (onLoginFailure method)?

    Any help on this will be appreciated thanks.


     Scott Heger 

    A simple approach would be to set the “Failed Login URL” of your second chain to be the OpenAM logout URL. In that case when the chain fails, the user is sent to the logout URL and thus logged out. You could also add a goto parameter to the logout URL to send the user somewhere else after logout if you wish (i.e. a page indicating why they were logged out, etc.)


    Thanks Scott. I thought so. There are two things that is creating a roadblock.
    1. Is there a way that I can create a page and club it with the war file but keep the page unprotected. So that after logout the user can be taken to the custom page.
    2. Also currently there are two scenarios on which I want to destroy the session. So I want the page to be dynamic in showing the error messages. As the user will be logged out how can I set some properties based on which I can make the page dynamic.


     Scott Heger 

    I think what you are asking is that you want to host a page within your protected application that would display a custom message after the user is logged out. That is possible. How are you protecting your application? Are you using a policy agent? If so, in your policy agent profile you can define the URL/URI to that page as “Not Enforced”. Look in the Application tab of your agent profile.

    Using cookies seems to be a logical way to convey information to your page after the user is logged out. How and where you set those would probably depend on what your two scenarios are. Can you elaborate on those?


    I want to host a page in OpenAM war file.

     Scott Heger 

    Yes you can add a custom page into OpenAM. I’ve done this with static HTML pages and dynamic JSP pages.



    I have used a custom page and you are right its unprotected by default. The problem is the user is not always redirected to the error page. There are two scenarios I want the user to be redirected to this page-

    1. If the user has no contact address in user’s profile.
    2. If the user has entered wrong OTP 3 times.

    In both the scenarios I am returning an error state after setting failure ID. PFB the code snippet

    substituteHeader(ERROR_STATE, bundle.getString(“no.contacts”));
    return ERROR_STATE;

    My error state callback snippet is as follows-

    <Callbacks length=”1″ order=”4″ timeout=”900″ header=”#TO BE SUBSTITUTED#” error=”true” >
    <Prompt>#THE DUMMY WILL NEVER BE SHOWN#</Prompt>

    And I have set the Failed Login URL in the chain to the error page.

    For the first scenario the user is not redirected to the error page but for the second scenario the user is redirected. What I see in the first scenario is the default page that says “unable to login” followed by a link that says “Return to Login”

    Is there any reason why the user is not redirected?

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?