Web Policy Agents 2023.3

Logout redirect

On logout, the Web Agent can redirect users to a specific AM page, or to a custom logout page in your web server. For properties to configure logout redirect, refer to Logout redirect.

The agent maintains the user realm for each session, obtaining it from the JWT or sessioninfo endpoint. When a user logs out, the agent automatically passes the stored realm to the logout endpoint. To log out to a landing page in a specific realm, specify the realm in AM Logout URL.

Logout redirect is triggered when Disable Logout Redirection is false, and the incoming URL matches a value in Logout URL List or Agent Logout URL Regular Expression.

When the incoming URL matches a logout URL, the agent redirects the web client to a URL configured in Logout Redirect URL.

To ensure the end user can access the logout redirect URL, add it to the Not-Enforced URL List.

If Enable Invalidate Logout Session is true, the agent invalidates the session in AM. Configure this if Logout URL List is set to a page in your application, and your application does not handle the session invalidation process.

If Enable Invalidate Logout Session is false, the logout page is responsible for invalidating the user session. Configure this if the Logout URL List is a SAML v2.0 logout page, the AM logout page, or a page in your application that can handle the session invalidation process.

If Disable Logout Redirection is true, the agent does not add the goto parameter, and the web client remains in the logout page.

To reset specified cookies during logout, configure Reset Cookies on Logout List.

Example logout flow with AM as the logout page


Example logout flow with the application serving the logout page

Copyright © 2010-2023 ForgeRock, all rights reserved.