Logout
This section describes how to trigger a logout based on the properties of a request, and how to redirect users after logout to a specified logout resource.
The agent maintains the user realm
for each session, obtaining it from the JWT or sessioninfo
endpoint.
When a user logs out, the agent automatically passes the stored realm to the
logout endpoint.
Web Agent provides the following properties to configure logout:
Task | Property | Description |
---|---|---|
Trigger logout |
A flag to evaluate expressions in Logout URL List as regular expressions instead of as wildcard expressions. |
|
An expression that resolves to one or more application logout URLs. When the end user accesses a logout URL, the agent triggers a logout flow. The web server must be able to handle the logout URLs. Expressions can be wildcard expressions, Perl-compatible regular expressions, or ECMAScript-compatible (IIS) regular expressions. |
||
A Perl-compatible or ECMAScript-compatible (IIS) regular expression that resolves to one or more application logout URLs. This property is deprecated; use Logout URL List instead. If this property is used, it is evaluated before Enable Regex for Logout URL List in the logout flow. |
||
Manage logout |
A URL to manage the logout. |
|
A flag to kill the AM session when the value of Logout URL List is a page in your application and your application doesn’t handle the session invalidation process. |
||
A list of cookies to reset on logout. |
||
Redirect after logout |
A URL to which the user is redirected after logout. |
|
A flag to disallow redirect after logout. When |
Trigger logout with a URL
The agent triggers logout according to the configuration of the following properties:
The following image shows how the properties are applied:
-
The following example triggers logout when the request URL is from
*/bank/log-me-out
:org.forgerock.agents.config.logout.regex.enable=false com.forgerock.agents.agent.logout.url=*//*:*/bank/log-me-out
-
The following example triggers logout when the request URL is anywhere in the path
*/logout/*
:org.forgerock.agents.config.logout.regex.enable=false com.forgerock.agents.agent.logout.url=*//*:*/*/logout/*
-
The following example triggers logout when:
-
The request URL is on the path
*/protectedA/*
or*/protectedB/*
, -
The request URL contains a second query section that includes
op=logout
anywhere in the parameter list
org.forgerock.agents.config.logout.regex.enable=true com.forgerock.agents.agent.logout.url=https:\/\/example.domain.com:443\/(protectedA|protectedB)\?(.*\&)*op=logout(\&.*)*$
-
Redirect logout to a landing page
The agent redirects users to a specified resource after logout when the following properties are configured:
-
-
Set to
false
to allow redirect on logout. The agent appends a goto parameter to the logout URL with the value of the Logout Redirect URL. -
Set to
true
to disable redirect in logout. The agent doesn’t perform the last redirection and leaves the web client on the logout page.Consider setting Enable Invalidate Logout Session to
true
when this property istrue
.
-
-
Specify an HTML page to which the agent redirects the end user on logout. The page must be available in your web server.
Depending on the redirect URL, perform this additional configuration:
-
Add the URL to the Not-Enforced URL List.
-
If the URL doesn’t perform a REST logout to AM, set Enable Invalidate Logout Session to
true
. -
If the URL isn’t relative to AM, or in the same scheme, FQDN, and port, add it to the AM validation service.
Learn more from Advanced Identity Cloud’s Configure trusted URLs or AM’s Configure trusted URLs.
End AM sessions on logout
Configure one of the following properties to manage logout:
-
AM Logout URL to redirect the request to AM’s
/am/UI/Logout
endpoint. This is the default value. -
Enable Invalidate Logout Session
-
Set to
true
when Logout URL List is configured with a page in your application, but your application doesn’t handle the session invalidation process.The agent doesn’t add the
goto
parameter to the URL, and the web client remains in the logout page.The agent deletes its own JWT cookie and invalidates the AM session.
-
Set to
false
when Logout URL List has any of the following values:-
A SAML v2.0 logout page.
-
An AM logout page.
-
A page in your application, and your application does handle the session invalidation process.
The agent deletes its own JWT cookie but doesn’t invalidate the AM session.
-
-
Reset cookies on logout
To reset specified cookies during logout, configure Reset Cookies on Logout List.