Web Agents 2024.9

Logout

This section describes how to trigger a logout based on the properties of a request, and how to redirect users after logout to a specified logout resource.

The agent maintains the user realm for each session, obtaining it from the JWT or sessioninfo endpoint. When a user logs out, the agent automatically passes the stored realm to the logout endpoint.

Web Agent provides the following properties to configure logout:

Task Property Description

Trigger logout

A flag to evaluate expressions in Logout URL List as regular expressions instead of as wildcard expressions.

An expression that resolves to one or more application logout URLs.

When the end user accesses a logout URL, the agent triggers a logout flow. The web server must be able to handle the logout URLs.

Expressions can be wildcard expressions, Perl-compatible regular expressions, or ECMAScript-compatible (IIS) regular expressions.

A Perl-compatible or ECMAScript-compatible (IIS) regular expression that resolves to one or more application logout URLs.

This property is deprecated; use Logout URL List instead.

If this property is used, it is evaluated before Enable Regex for Logout URL List in the logout flow.

Manage logout

A URL to manage the logout.

A flag to kill the AM session when the value of Logout URL List is a page in your application and your application doesn’t handle the session invalidation process.

A list of cookies to reset on logout.

Redirect after logout

A URL to which the user is redirected after logout.

A flag to disallow redirect after logout. When true, the agent performs session logout in the background and continues processing access to the current URL.

Trigger logout with a URL

The agent triggers logout according to the configuration of the following properties:

The following image shows how the properties are applied:

Properties to trigger logout
Examples
  • The following example triggers logout when the request URL is from */bank/log-me-out:

    org.forgerock.agents.config.logout.regex.enable=false
    com.forgerock.agents.agent.logout.url=*//*:*/bank/log-me-out
  • The following example triggers logout when the request URL is anywhere in the path */logout/*:

    org.forgerock.agents.config.logout.regex.enable=false
    com.forgerock.agents.agent.logout.url=*//*:*/*/logout/*
  • The following example triggers logout when:

    • The request URL is on the path */protectedA/* or */protectedB/*,

    • The request URL contains a second query section that includes op=logout anywhere in the parameter list

    org.forgerock.agents.config.logout.regex.enable=true
    com.forgerock.agents.agent.logout.url=https:\/\/example.domain.com:443\/(protectedA|protectedB)\?(.*\&)*op=logout(\&.*)*$

Redirect logout to a landing page

The agent redirects users to a specified resource after logout when the following properties are configured:

  • Disable Logout Redirection

    • Set to false to allow redirect on logout. The agent appends a goto parameter to the logout URL with the value of the Logout Redirect URL.

    • Set to true to disable redirect in logout. The agent doesn’t perform the last redirection and leaves the web client on the logout page.

      Consider setting Enable Invalidate Logout Session to true when this property is true.

  • Logout Redirect URL

    Specify an HTML page to which the agent redirects the end user on logout. The page must be available in your web server.

Depending on the redirect URL, perform this additional configuration:

End AM sessions on logout

Configure one of the following properties to manage logout:

  • AM Logout URL to redirect the request to AM’s /am/UI/Logout endpoint. This is the default value.

  • Enable Invalidate Logout Session

    • Set to true when Logout URL List is configured with a page in your application, but your application doesn’t handle the session invalidation process.

      The agent doesn’t add the goto parameter to the URL, and the web client remains in the logout page.

      The agent deletes its own JWT cookie and invalidates the AM session.

    • Set to false when Logout URL List has any of the following values:

      • A SAML v2.0 logout page.

      • An AM logout page.

      • A page in your application, and your application does handle the session invalidation process.

      The agent deletes its own JWT cookie but doesn’t invalidate the AM session.

Reset cookies on logout

To reset specified cookies during logout, configure Reset Cookies on Logout List.

Example logout flow with AM as the logout page

logout-flow-am

Example logout flow with the application serving the logout page

logout-flow-customsvg