Single Logout in applications

Single Logout (SLO) is a feature in federated authentication where end users can sign out of both their Okta session and a configured application with a single action.

Okta supports this sign out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

Note

Note

  • SWA applications don't support the SLO operation.
  • SLO doesn't sign the end user out of other integrations that may be open.
  • Okta doesn't sign out web applications.

Enable SLO for SAML integrations

For SAML applications, the SP must be able to send an SLO request to Okta as a POST request and it must be signed.

If you are using Okta for Single Sign-On (SSO) and you want to close and sign out of the Okta session, you can use the SAML Application Integration Wizard to configure SLO:

  1. In the Admin Console, go to Applications > Applications.
  2. Click the SAML application where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next to move to step 2 Configure SAML.
  5. On the Configure SAML page, click Show Advanced Settings.
  6. Select the check box to Allow application to initiate Single Logout.
  7. Single Logout URL — the URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
  8. SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
  9. Signature Certificate — Okta requires a digital signature for the SLO request. You need to upload a copy of the signature certificate or CA that the SP is using to sign the SLO request.
  10. Click Next.
  11. Click Finish.

Finally, you need to retrieve the SLO details needed by your SP application:

  1. In the Sign On settings tab, on the Settings panel, click View Setup Instructions.
  2. The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP application.
  3. To test your SLO flow, sign in to your SP application using the Okta integration and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.

Enable SLO for OIDC integrations

For OpenID Connect (OIDC) integrations, the SP application must be configured to send an SLO request to Okta as a GET request. The application should redirect to this Okta endpoint:

GET https://{baseUrl}/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${post_logout_redirect_uri}&state=${state}

Where:

  • baseURL is the URL for your Okta org.
  • id_token is the OIDC token issued by Okta during sign on.
  • Optional. The post_logout_redirect_uri is the Logout redirect URI where Okta redirects the user after the SLO operation.
    • This URI must be listed in the Logout redirect URIs configuration in the General Settings for your Okta integration.
  • Optional. The state is any string to be added as parameter upon redirect to the SLO URI.

After this request is processed, the id_token is invalidated and the user is signed out from Okta.

For more details on the GET request to the API, see the OpenID Connect & OAuth 2.0 API reference.

For application developers, language-specific instructions are also available in our Sign users out developer guide.

Finally, you need to add the Logout redirect URIs to your Okta integration:

  1. In the Admin Console, go to Applications > Applications.
  2. Click the OIDC application where you want to add SLO.
  3. In the General settings tab, click Edit.
  4. Beside the Logout redirect URIs, click + Add URI.
  5. Enter the URI where Okta will send relying party-initiated SLO requests.
  6. Click Save.
  7. To test your SLO flow, sign in to your SP application using the Okta integration and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.