Logout

This section describes how to trigger a logout based on the properties of a request, and how to redirect users after logout to a specified logout resource.

The agent maintains the user realm for each session, obtaining it from the JWT or sessioninfo endpoint. When a user logs out, the agent automatically passes the stored realm to the logout endpoint.

Web Agent provides the following properties to configure logout:

Task Property Description

Task	Property	Description
Trigger logout	Enable Regex for Logout URL List	A flag to evaluate expressions in Logout URL List as regular expressions instead of as wildcard expressions.
Logout URL List	An expression that resolves to one or more application logout URLs. When the end user accesses a logout URL, the agent triggers a logout flow. The web server must be able to handle the logout URLs. Expressions can be wildcard expressions, Perl-compatible regular expressions, or ECMAScript-compatible (IIS) regular expressions.
Agent Logout URL Regular Expression (deprecated)	A Perl-compatible or ECMAScript-compatible (IIS) regular expression that resolves to one or more application logout URLs. This property is deprecated; use Logout URL List instead. If this property is used, it is evaluated before Enable Regex for Logout URL List in the logout flow.
Manage logout	AM Logout URL	A URL to manage the logout.
Enable Invalidate Logout Session	A flag to kill the AM session when the value of Logout URL List is a page in your application and your application doesn’t handle the session invalidation process.
Reset Cookies on Logout List	A list of cookies to reset on logout.
Redirect after logout	Logout Redirect URL	A URL to which the user is redirected after logout.
Disable Logout Redirection	A flag to disallow redirect after logout. When `true`, the agent performs session logout in the background and continues processing access to the current URL.

Trigger logout

Enable Regex for Logout URL List

A flag to evaluate expressions in Logout URL List as regular expressions instead of as wildcard expressions.

Logout URL List

An expression that resolves to one or more application logout URLs.

When the end user accesses a logout URL, the agent triggers a logout flow. The web server must be able to handle the logout URLs.

Expressions can be wildcard expressions, Perl-compatible regular expressions, or ECMAScript-compatible (IIS) regular expressions.

Agent Logout URL Regular Expression (deprecated)

A Perl-compatible or ECMAScript-compatible (IIS) regular expression that resolves to one or more application logout URLs.

This property is deprecated; use Logout URL List instead.

If this property is used, it is evaluated before Enable Regex for Logout URL List in the logout flow.

Manage logout

AM Logout URL

A URL to manage the logout.

Enable Invalidate Logout Session

A flag to kill the AM session when the value of Logout URL List is a page in your application and your application doesn’t handle the session invalidation process.

Reset Cookies on Logout List

A list of cookies to reset on logout.

Redirect after logout

Logout Redirect URL

A URL to which the user is redirected after logout.

Disable Logout Redirection

A flag to disallow redirect after logout. When true, the agent performs session logout in the background and continues processing access to the current URL.

Trigger logout with a URL

The agent triggers logout according to the configuration of the following properties:

The following image shows how the properties are applied:

Examples

The following example triggers logout when the request URL is from */bank/log-me-out:

org.forgerock.agents.config.logout.regex.enable=false
com.forgerock.agents.agent.logout.url=*//*:*/bank/log-me-out

The following example triggers logout when the request URL is anywhere in the path */logout/*:

org.forgerock.agents.config.logout.regex.enable=false
com.forgerock.agents.agent.logout.url=*//*:*/*/logout/*

The following example triggers logout when:
- The request URL is on the path */protectedA/* or */protectedB/*,
- The request URL contains a second query section that includes op=logout anywhere in the parameter list
```
org.forgerock.agents.config.logout.regex.enable=true
com.forgerock.agents.agent.logout.url=https:\/\/example.domain.com:443\/(protectedA|protectedB)\?(.*\&)*op=logout(\&.*)*$
```

Redirect logout to a landing page

The agent redirects users to a specified resource after logout when the following properties are configured:

Disable Logout Redirection
- Set to false to allow redirect on logout. The agent appends a goto parameter to the logout URL with the value of the Logout Redirect URL.
- Set to true to disable redirect in logout. The agent doesn’t perform the last redirection and leaves the web client on the logout page.
  
  Consider setting Enable Invalidate Logout Session to true when this property is true.
Logout Redirect URL

Specify an HTML page to which the agent redirects the end user on logout. The page must be available in your web server.

Depending on the redirect URL, perform this additional configuration:

Add the URL to the Not-Enforced URL List.
If the URL doesn’t perform a REST logout to AM, set Enable Invalidate Logout Session to true.
If the URL isn’t relative to AM, or in the same scheme, FQDN, and port, add it to the AM validation service.

Learn more from Identity Cloud’s Configure trusted URLs or AM’s Configure trusted URLs.

End AM sessions on logout

Configure one of the following properties to manage logout:

AM Logout URL to redirect the request to AM’s /am/UI/Logout endpoint. This is the default value.
Enable Invalidate Logout Session
- Set to true when Logout URL List is configured with a page in your application, but your application doesn’t handle the session invalidation process.
  
  The agent doesn’t add the goto parameter to the URL, and the web client remains in the logout page.
  
  The agent deletes its own JWT cookie and invalidates the AM session.
- Set to false when Logout URL List has any of the following values:
  A SAML v2.0 logout page.
  
  An AM logout page.
  
  A page in your application, and your application does handle the session invalidation process.
  
  The agent deletes its own JWT cookie but doesn’t invalidate the AM session.

Reset cookies on logout

To reset specified cookies during logout, configure Reset Cookies on Logout List.

Example logout flow with AM as the logout page

Example logout flow with the application serving the logout page

Web Policy Agents 2024.3