--- title: Logout description: This section describes how to trigger a logout based on the properties of a request, and how to redirect users after logout to a specified logout resource. component: web-agents version: 2025.11 page_id: web-agents:user-guide:logout canonical_url: https://docs.pingidentity.com/web-agents/2025.11/user-guide/logout.html section_ids: trigger_logout_with_a_url: Trigger logout with a URL redirect_logout_to_a_landing_page: Redirect logout to a landing page end_am_sessions_on_logout: End AM sessions on logout reset_cookies_on_logout: Reset cookies on logout example_logout_flow_with_am_as_the_logout_page: Example logout flow with AM as the logout page example_logout_flow_with_the_application_serving_the_logout_page: Example logout flow with the application serving the logout page --- # Logout This section describes how to trigger a logout based on the properties of a request, and how to redirect users after logout to a specified logout resource. The agent maintains the [user realm](glossary.html#def-user-realm) for each session, obtaining it from the JWT or `sessioninfo` endpoint. When a user logs out, the agent automatically passes the stored realm to the logout endpoint. Web Agent provides the following properties to configure logout: | Task | Property | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Trigger logout | * [Enable Regex for Logout URL List](../properties-reference/org.forgerock.agents.config.logout.regex.enable.html) | A flag to evaluate expressions in [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) as regular expressions instead of as wildcard expressions. | | | - [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) | An expression that resolves to one or more application logout URLs.When the end user accesses a logout URL, the agent triggers a logout flow. The web server must be able to handle the logout URLs.Expressions can be wildcard expressions, Perl-compatible regular expressions, or ECMAScript-compatible (IIS) regular expressions. | | | * [Agent Logout URL Regular Expression (deprecated)](../properties-reference/com.forgerock.agents.agent.logout.url.regex.html) | A Perl-compatible or ECMAScript-compatible (IIS) regular expression that resolves to one or more application logout URLs.This property is deprecated; use [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) instead.If this property is used, it is evaluated before [Enable Regex for Logout URL List](../properties-reference/org.forgerock.agents.config.logout.regex.enable.html) in the logout flow. | | Manage logout | - [AM Logout URL](../properties-reference/com.sun.identity.agents.config.logout.url.html) | A URL to manage the logout. | | | * [Enable Invalidate Logout Session](../properties-reference/org.forgerock.agents.config.logout.session.invalidate.html) | A flag to kill the AM session when the value of [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) is a page in your application and your application doesn't handle the session invalidation process. | | | - [Reset Cookies on Logout List](../properties-reference/com.sun.identity.agents.config.logout.cookie.reset.html) | A list of cookies to reset on logout. | | Redirect after logout | * [Logout Redirect URL](../properties-reference/com.sun.identity.agents.config.logout.redirect.url.html) | A URL to which the user is redirected after logout. | | | - [Disable Logout Redirection](../properties-reference/com.forgerock.agents.config.logout.redirect.disable.html) | A flag to disallow redirect after logout. When `true`, the agent performs session logout in the background and continues processing access to the current URL. | ## Trigger logout with a URL The agent triggers logout according to the configuration of the following properties: * [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) * [Agent Logout URL Regular Expression (deprecated)](../properties-reference/com.forgerock.agents.agent.logout.url.regex.html) * [Enable Regex for Logout URL List](../properties-reference/org.forgerock.agents.config.logout.regex.enable.html) The following image shows how the properties are applied: ![Properties to trigger logout](_images/logout.svg)Examples * The following example triggers logout when the request URL is from `*/bank/log-me-out`: ```none org.forgerock.agents.config.logout.regex.enable=false com.forgerock.agents.agent.logout.url=*//*:*/bank/log-me-out ``` * The following example triggers logout when the request URL is anywhere in the path `*/logout/*`: ```none org.forgerock.agents.config.logout.regex.enable=false com.forgerock.agents.agent.logout.url=*//*:*/*/logout/* ``` * The following example triggers logout when: * The request URL is on the path `*/protectedA/*` or `*/protectedB/*`, * The request URL contains a second query section that includes `op=logout` anywhere in the parameter list ```bash org.forgerock.agents.config.logout.regex.enable=true com.forgerock.agents.agent.logout.url=https:\/\/example.domain.com:443\/(protectedA|protectedB)\?(.*\&)*op=logout(\&.*)*$ ``` ## Redirect logout to a landing page The agent redirects users to a specified resource after logout when the following properties are configured: * [Disable Logout Redirection](../properties-reference/com.forgerock.agents.config.logout.redirect.disable.html) * Set to `false` to allow redirect on logout. The agent appends a goto parameter to the logout URL with the value of the [Logout Redirect URL](../properties-reference/com.sun.identity.agents.config.logout.redirect.url.html). * Set to `true` to disable redirect in logout. The agent doesn't perform the last redirection and leaves the web client on the logout page. Consider setting [Enable Invalidate Logout Session](../properties-reference/org.forgerock.agents.config.logout.session.invalidate.html) to `true` when this property is `true`. * [Logout Redirect URL](../properties-reference/com.sun.identity.agents.config.logout.redirect.url.html) Specify an HTML page to which the agent redirects the end user on logout. The page must be available in your web server. Depending on the redirect URL, perform this additional configuration: * Add the URL to the [Not-Enforced URL List](../properties-reference/com.sun.identity.agents.config.notenforced.url.html). * If the URL doesn't perform a REST logout to AM, set [Enable Invalidate Logout Session](../properties-reference/org.forgerock.agents.config.logout.session.invalidate.html) to `true`. * If the URL isn't relative to AM, or in the same scheme, FQDN, and port, add it to the AM validation service. Learn more in Advanced Identity Cloud's [Configure trusted URLs](https://docs.pingidentity.com/pingoneaic/am-authentication/redirection-url-precedence.html#configure_trusted_urls) or AM's [Configure trusted URLs](https://docs.pingidentity.com/pingam/8/am-authentication/redirection-url-precedence.html#configure_trusted_urls). ## End AM sessions on logout Configure one of the following properties to manage logout: * [AM Logout URL](../properties-reference/com.sun.identity.agents.config.logout.url.html) to redirect the request to AM's `/am/UI/Logout` endpoint. This is the default value. * [Enable Invalidate Logout Session](../properties-reference/org.forgerock.agents.config.logout.session.invalidate.html) * Set to `true` when [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) is configured with a page in your application, but your application *doesn't handle* the session invalidation process. The agent doesn't add the `goto` parameter to the URL, and the web client remains in the logout page. The agent deletes its own JWT cookie and invalidates the AM session. * Set to `false` when [Logout URL List](../properties-reference/com.sun.identity.agents.config.agent.logout.url.html) has any of the following values: * A SAML v2.0 logout page. * An AM logout page. * A page in your application, and your application *does handle* the session invalidation process. The agent deletes its own JWT cookie but doesn't invalidate the AM session. ## Reset cookies on logout To reset specified cookies during logout, configure [Reset Cookies on Logout List](../properties-reference/com.sun.identity.agents.config.logout.cookie.reset.html). ## Example logout flow with AM as the logout page ![Simplified diagram showing the logout flow when AM is set as the logout pages](_images/logout-flow-am.svg) ## Example logout flow with the application serving the logout page ![Simplified diagram showing the logout flow when the application serves the logout pages](_images/logout-flow-custom.svg)