How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I configure an idle timeout in IG (All versions)?

Last updated Feb 23, 2023

The purpose of this article is to provide information on configuring IG to automatically expire sessions after a set period of time.

2 readers recommend this article

Configuring idle timeout

You have the following options for setting idle timeout in IG depending on your requirements (and IG version):

  • AmSessionIdleTimeoutFilter (IG 7.2 and later) - allows you to force the revocation of Identity Cloud and AM sessions that have been idle for a specified duration.
  • JwtSession - if you use this object to store sessions, you can specify how long they are valid for. This is not strictly an idle timeout, but may be sufficient for your needs.
  • HTTP session - allows you to specify session timeout settings in the web application container.


The AmSessionIdleTimeoutFilter is available as of IG 7.2 and can be used to force the revocation of Identity Cloud and AM sessions that have been idle for a specified duration.

This filter must be used in front of a SingleSignOnFilter or a CrossDomainSingleSignOnFilter in order to manage idle timeout for client sessions in Identity Cloud and AM.

See AmSessionIdleTimeoutFilter for further information on the required configuration and usage.


If you are using the JwtSession object to store sessions, you can use the sessionTimeout property to specify how long sessions are valid for:

  1. Set the persistentCookie property to true to create persistent cookies.
  2. Set sessionTimeout to the period of time for which the JWT session is valid. Once this time period is exceeded, the cookie will expire.

See JwtSession for further information including valid duration settings for the sessionTimeout property.

HTTP session

If you want a true session idle timeout, you can set the <session-timeout> property in either the web application container configuration file (global setting) or in the web.xml file (located in the WEB-INF directory) for the IG web application; this setting overrides the global setting.

For example, to set the timeout to 60 minutes:

<session-config> <session-timeout>60</session-timeout> </session-config>

The required global configuration file varies according to which container you use:

  • Apache Tomcat™ - web.xml (located in the /path/to/tomcat/conf/ directory).
  • Jetty® - webdefault.xml (located in the /path/to/jetty/etc/ directory).
  • JBoss® - web.xml (located in the server/<profile>/deploy/jboss-web.deployer/conf/ directory).

Automatic logout

There are no session expired triggers in IG that can automatically log you out of an associated application once the session expires. One possible solution would be to call the logout endpoint on the other application every time a user arrives at IG without a valid session; however, if this requires tokens or other values that IG won't have access to (because the user's session has expired or does not exist) then this will not be possible.

See Also

Installing and configuring IG

Java Session Timeout

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.