HomeProduct documentationGitHubCyberArk developer community

Logging Out

Suggest Edits

At the end of a session, you can invoke the /security/logout endpoint to log the user out, passing the authentication token that was acquired from Advancing the Authentication, in the header.
For example:

POST /Security/logout

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json


{
   "redirectUrl": "https://cyberark.my.idaptive.app",
   "allowIWA": false               
}

The API accepts the following two parameters in the request, which are optional to send:

redirectUrl - It is the URL to redirect the user after the logout
allowIWA - Specifies whether to allow windows authentication or not. By default, it is false.

Users with the default everybody role can invoke this API. It does not require any special rights.

The success field in the response indicates if the request was successful.

{
    "success": true,
    "Result": null,
    "Message": null,
    "MessageID": null,
    "Exception": null,
    "ErrorID": null,
    "ErrorCode": null,
    "InnerExceptions": null
}

After the successful logout, the user will be redirected to redirect Url if it is present in the request body. The URL should be set at the redirectUrl parameter. This URL can be an external URL or a relative.

Note: Invoking the /Security/logout endpoint will invalidate the authentication token(the token can no longer be used). If an application redirects to the endpoint and the authentication token is in a browser cookie, the token will be invalidated. The user will be automatically redirected to the CyberArk Identity login page. It would be best if you, therefore, chose between directly invoking the endpoint and redirecting to it based on the desired behavior.

Sign Out Current Session

To end a particular local session only, you can invoke the [/UserMgmt/SignOutCurrentSession](ref: post_usermgmt-signoutcurrentsession) endpoint. Invoke this API to SignOut the user from that local session while accessing the application. This signs users out of the application by ending their local session. This signs out the users from the current app but not from other CyberArk Identity applications.

POST UserMgmt/SignOutCurrentSession

This API call doesn’t require any parameters in the request body.
Also, users with the default everybody role can access this API. It does not require any special rights.

The response’s success field indicates whether the request was successful and the user was signed out of the current application session or not.

{
    "success": true,
    "Result": null,
    "Message": null,
    "MessageID": null,
    "Exception": null,
    "ErrorID": null,
    "ErrorCode": null,
    "InnerExceptions": null
}

Note: Invoking the /UserMgmt/SignOutCurrentSession endpoint will take that session id of the user from the application and delete that session from the authsession table, thus ending the current session for the user.

Sign Out Everywhere

You can invoke the [/UserMgmt/SignOutEverywhere](ref: post_usermgmt-signouteverywhere) endpoint to sign out a user from all applications everywhere. This ends all the user sessions from all applications for the user. All the sessions and cookies present for the provided user in the request body will be deleted, and the user will need to log in again.

POST UserMgmt/SignOutEverywhere

Payload:
{
        "id": "1e5214e4-0921-4e9e-8ada-3ef2970f7c1f"
}

This API call requires a mandatory parameter ‘id’ in the request body. This is the UUID of the user who is to be logged out from everywhere.

Also, this API requires special rights for the user invoking it. Only system administrators and users with user management rights can invoke this for other users and end their sessions from everywhere. A regular user can sign out from everywhere using this API only for their sessions.

The response’s success field indicates whether the request was successful and the user was signed out from all applications or not.

{
    "success": true,
    "Result": null,
    "Message": null,
    "MessageID": null,
    "Exception": null,
    "ErrorID": null,
    "ErrorCode": null,
    "InnerExceptions": null
}

Note: The user should be logged in to the application to sign out from all the applications using this endpoint. Invoking the /UserMgmt/SignOutEverywhere endpoint will take that user id passed in the request and fetch the list of all sessions for that user from the authsessions table and delete all these sessions, thereby logging the user out from everywhere.

Updated about 1 year ago