Configure Single Logout in app integrations

Single Logout (SLO) is a feature in federated authentication that allows end users to sign out of both their Okta session and a configured app with a single action.

Okta supports this sign out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

  • SWA applications don't support SLO.
  • Not all app integrations support SLO. If the SP supports SLO in their downstream app, it's noted as a supported feature in their app configuration guide. Contact your SP directly to request that they add support for SLO.

Enable SLO for SAML integrations

For SAML applications, the SP must be able to send an SLO request to Okta and it must be signed.

You can use the SAML Application Integration Wizard to configure SLO:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML application where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. On the Configure SAML page, click Show Advanced Settings.
  6. Select Allow application to initiate Single Logout.
  7. Single Logout URL — the URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
  8. SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
  9. Signature Certificate — Okta requires a digital signature for the SLO request. You need to upload a copy of the signature certificate or CA that the SP is using to sign the SLO request.
  10. Click Next.
  11. Click Finish.

Finally, you need to retrieve the SLO details needed by your SP application:

  1. In the Sign On settings tab, click View SAML setup instructions.
  2. The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP application.
  3. To test your SLO flow, sign in to your SP application using the Okta integration and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.

Enable SLO for OIDC integrations

For OpenID Connect (OIDC) integrations, the SP application must be configured to send an SLO request to Okta as a GET request. The application should redirect to this Okta endpoint:

GET https://{baseUrl}/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${post_logout_redirect_uri}&state=${state}

Where:

  • baseURL is the URL for your Okta org.
  • id_token is the OIDC token issued by Okta during sign on.
  • Optional. The post_logout_redirect_uri is the Logout redirect URI where Okta redirects the user after the SLO operation. This URI must be listed in the Logout redirect URIs configuration in the General Settings for your Okta integration.
  • Optional. The state is any string to be added as parameter upon redirect to the SLO URI.

After this request is processed, the id_token is invalidated and the user is signed out from Okta.

For more details on the GET request to the API, see the OpenID Connect & OAuth 2.0 API reference.

For application developers, language-specific instructions are also available in our Sign users out developer guide.

Finally, you need to add the Logout redirect URIs to your Okta integration:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the OIDC application where you want to add SLO.
  3. In the General settings tab, click Edit.
  4. Beside the Logout redirect URIs, click + Add URI and enter the post_logout_redirect_uri.
  5. Click Save.
  6. To test your SLO flow, sign in to your SP application using the Okta integration, and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.