I've successfully integrated SiteMinder with Spring Security. However, Spring Security's logout URL doesn't apply to SiteMinder.
Spring Security
<logout delete-cookies="JSESSIONID" logout-success-url="/" invalidate-session="true" />
Spring Security Logout URL
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
Any suggestions which URL to use for SiteMinder/PreAuthentication?
Checked the http header. SiteMinder sets their Cookie to SMSESSION by default. However this cookie isn't controlled by Spring Security. SiteMinder must deploy a logout URL and configured accordingly.
Solution:
<logout delete-cookies="JSESSIONID,SMSESSION" logout-success-url="/" invalidate-session="true" logout-url="/logout.html"/>
If you want to delete multiple cookies separate them using commas.
The
delete-cookiesattributeA comma-separated list of the names of cookies which should be deleted when the user logs out.
Reference: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html