Policies can be attached to pkmslogout, but WebSEAL does not always apply the policies.
For example, if a user authenticated to WebSEAL and tries to access pkmslogout, the pkmslogout page ends the user session without an authorization check. ACL policies are not applied to such requests. However, if a user has not authenticated to WebSEAL and tries to access pkmslogout, the request is treated as a normal request. WebSEAL conducts an authorization check.
If the authorization check fails, the request proceeds as a normal authorization failure. In the default WebSEAL configuration, the user is prompted to login.
If the authorization check passes, WebSEAL attempts to retrieve an object called /pkmslogout from the root junction, and this typically results in a 404 Not Found response from WebSEAL.
The allow-unauthenticated-logout option in the [acnt-mgmt] stanza determines whether unauthenticated users are able to request the pkmslogout resource without authenticating first. If set to yes, WebSEAL behaves in the same manner whether the user logging out is authenticated or unauthenticated.
<img src="https://www.example.com/pkmslogout" height="0" width="0">
<img src="https://sales.example.com/pkmslogout" height="0" width="0">
<img src="https://accts.example.com/pkmslogout" height="0" width="0">If this technique is used for single logout, it can be beneficial to either attach ACLs to /pkmslogout or to use the [acnt-mgmt] allow-unauthenticated-logout option to control WebSEAL behavior. For more information about the allow-unauthenticated-logout option, see the IBM Security Web Gateway appliance: Web Reverse Proxy Stanza Reference.