Access Management 7.2.2

Invalidate all sessions for a given user

To log out all sessions for a given user, first obtain a list of session handles of their active sessions, by performing an HTTP GET to the /json/sessions/ endpoint, using the SSO token of an administrative user, such as amAdmin as the value of the iPlanetDirectoryPro header. You must also specify a queryFilter parameter.

The queryFilter parameter requires the name of the user, and the realm to search. For example, to obtain a list of session handles for a user named demo in the alpha realm, the query filter value would be:

username eq "demo" and realm eq "/alpha"

The query filter value must be URL encoded when sent over HTTP.

For more information on query filter parameters, see Query.

In the following example, there is one active session:

$ curl \
--request GET \
--header "iPlanetDirectoryPro: AQICS…​NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
https://openam.example.com:8443/openam/json/realms/root/realms/alpha/sessions?_queryFilter=username%20eq%20%22demo%22%20and%20realm%20eq%20%22%2Falpha%22
{
    "result": [
        {
            "_rev": "652365455",
            "username": "demo",
            "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
            "realm":"/alpha",
            "sessionHandle":"shandle:cmvShY1…​.AA.*",
            "latestAccessTime":"2019-10-03T09:36:53.041Z",
            "maxIdleExpirationTime":"2019-10-03T10:06:53Z",
            "maxSessionExpirationTime":"2019-10-03T11:36:53Z",
        }
    ],
    "resultCount": 1,
    "pagedResultsCookie": null,
    "totalPagedResultsPolicy": "NONE",
    "totalPagedResults": -1,
    "remainingPagedResults": -1
}

To log out all sessions for the specific user, perform an HTTP POST to the /json/sessions/ endpoint, using the SSO token of an administrative user, such as amAdmin, as the value of the iPlanetDirectoryPro header. You must also specify the logoutByHandle action, and include an array of the session handles to invalidate in the POST body, in a property named sessionHandles, as shown below:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: AQICS…​NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{
    "sessionHandles": [
        "shandle:SJ80.AA…​.JT.",
        "shandle:H4CV.DV…​.FM."
    ]
}' \
https://openam.example.com:8443/openam/json/realms/root/realms/alpha/sessions/?_action=logoutByHandle
{
    "result": {
        "shandle:SJ80.AA…​.JT.": true,
        "shandle:H4CV.DV…​.FM.": true
    }
}