Configure Single Logout in app integrations

Single Logout (SLO) is a feature in federated authentication that allows end users to sign out of both their Okta session and a configured app with a single action.

Okta supports this sign-out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

  • SWA apps don't support SLO.
  • Not all app integrations support SLO. If the SP supports SLO in their downstream app, it's noted as a supported feature in their app configuration guide. Contact your SP directly to request that they add support for SLO.

Enable SLO for SAML integrations

For SAML apps, the SP must be able to send an SLO request to Okta and it must be signed.

You can use the SAML Application Integration Wizard to configure SLO:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML app where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. On the Configure SAML page, click Show Advanced Settings.
  6. Select Allow application to initiate Single Logout.
  7. Single Logout URL: The URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
  8. SP Issuer: The identifier for the app. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP app.
  9. Signature Certificate: Okta requires a digital signature for the SLO request. You need to upload a copy of the signature certificate or CA that the SP is using to sign the SLO request.
  10. Click Next.
  11. Click Finish.

Finally, you need to retrieve the SLO details needed by your SP app:

  1. In the Sign On settings tab, click View SAML setup instructions.
  2. The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP app.
  3. To test your SLO flow, sign in to your SP app using the Okta integration and then use the appropriate sign-out method from within the SP app. The browser should sign you out of both your SP app and Okta.

Enable SLO for OIDC integrations

For OpenID Connect (OIDC) integrations, the SP app must be configured to send an SLO request to Okta as a GET request. The app should redirect to this Okta endpoint:

GET https://{baseUrl}/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${post_logout_redirect_uri}&state=${state}

Where:

  • baseURL is the URL for your Okta org.
  • id_token is the OIDC token issued by Okta when signing on.
  • Optional. The post_logout_redirect_uri is the Logout redirect URI where Okta redirects the user after the SLO operation. This URI must be listed in the Logout redirect URIs configuration in the General Settings for your Okta integration.
  • Optional. The state is any string to be added as a parameter upon redirect to the SLO URI.

After this request is processed, the id_token is invalidated and the user is signed out from Okta.

For more details on the GET request to the API, see the OpenID Connect & OAuth 2.0 API reference.

For app developers, language-specific instructions are also available in our Sign users out developer guide.

Finally, you need to add the Logout redirect URIs to your Okta integration:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the OIDC app where you want to add SLO.
  3. In the General settings tab, click Edit.
  4. Beside the Logout redirect URIs, click + Add URI and enter the post_logout_redirect_uri.
  5. Click Save.
  6. To test your SLO flow, sign in to your SP app using the Okta integration, and then use the appropriate sign out method from within the SP app. The browser should sign you out of both your SP app and Okta.