Configure Single Logout in app integrations

Single Logout (SLO) is a feature in federated authentication that allows end users to sign out of both their Okta session and a configured app with a single action.

Okta supports this sign out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

  • SWA applications don't support SLO.
  • Not all app integrations support SLO. If the SP supports SLO in their downstream app, it's noted as a supported feature in their app configuration guide. Contact your SP directly to request that they add support for SLO.

Enable SLO for SAML integrations

If you've enabled Early Access front-channel SLO, this configuration is different. Go to Enable SLO for SAML integrations (with front-channel option).

For SAML applications, the SP must be able to send an SLO request to Okta and it must be signed.

You can use the SAML Application Integration Wizard to configure SLO:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML application where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. On the Configure SAML page, click Show Advanced Settings.
  6. Select Allow application to initiate Single Logout.
  7. Single Logout URL — the URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
  8. SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
  9. Signature Certificate — Okta requires a digital signature for the SLO request. You need to upload a copy of the signature certificate or CA that the SP is using to sign the SLO request.
  10. Click Next.
  11. Click Finish.

Finally, you need to retrieve the SLO details needed by your SP application:

  1. In the Sign On settings tab, click View SAML setup instructions.
  2. The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP application.
  3. To test your SLO flow, sign in to your SP application using the Okta integration and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.

Enable SLO for SAML integrations (with front-channel option)

Early Access release. See Enable self-service features.

The SAML SLO configuration provides two options:

  • SLO initiation, which allows an SP application to log out of Okta and any other open apps that support SLO

  • SLO participation, which allows the SP application to be logged out automatically when other open applications initiate SLO, using front-channel HTTP requests

    Too many apps involved in a front-channel SLO transaction can exceed response header limits set by server software such as NGINX. In this case, you may need to update the default server limits or reduce the number of apps configured for front-channel SLO. See Okta Knowledge Base.

    • For more information, see Configure Single Logout.

You can choose either or both options in the SAML Application Integration Wizard.

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML application where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. If a Signature Certificate isn't already present, click Browse files to upload a certificate.
  6. In the Logout section, select the checkboxes for either SLO initiation or SLO participation, or both.
    • For SLO initiation enter the following information:
      • Response URL — the URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
      • SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
    • For SLO participation enter the following information:
      • Request URL — The location where Okta sends the logout request for this app.
      • Request binding — Post or Redirect.
      • User session details — Optional. Allows you to restrict the SLO to specific users, based on session information.
  7. Click Next.
  8. Click Finish.

Finally, you need to retrieve the SLO IdP details needed by your SP app. In the Sign On settings tab, click View SAML setup instructions.

  • If you configured SLO initiation, copy the Identity Provider Single Logout URL.
  • If you configured SLO participation, copy the Identity Provider Single Logout Callback URL.

You can verify the URLs in your app configuration on the Sign On tab under More details in the SAML 2.0 section.

Enable SLO for OIDC integrations

For OpenID Connect (OIDC) integrations, the SP application must be configured to send an SLO request to Okta as a GET request. The application should redirect to this Okta endpoint:

GET https://{baseUrl}/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${post_logout_redirect_uri}&state=${state}

Where:

  • baseURL is the URL for your Okta org.
  • id_token is the OIDC token issued by Okta during sign on.
  • Optional. The post_logout_redirect_uri is the Logout redirect URI where Okta redirects the user after the SLO operation. This URI must be listed in the Logout redirect URIs configuration in the General Settings for your Okta integration.
  • Optional. The state is any string to be added as parameter upon redirect to the SLO URI.

After this request is processed, the id_token is invalidated and the user is signed out from Okta.

For more details on the GET request to the API, see the OpenID Connect & OAuth 2.0 API reference.

For application developers, language-specific instructions are also available in our Sign users out developer guide.

Finally, you need to add the Logout redirect URIs to your Okta integration:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the OIDC application where you want to add SLO.
  3. In the General settings tab, click Edit.
  4. Beside the Logout redirect URIs, click + Add URI and enter the post_logout_redirect_uri.
  5. Optional. In the Logout section, select Allow the app to participate in single logout.

    Early Access release. See Enable self-service features.

    This feature is not supported for native apps. For more information, see Configure Single Logout.

    Too many apps involved in a front-channel SLO transaction can exceed response header limits set by server software such as NGINX. In this case, you may need to update the default server limits if possible or reduce the number of apps configured for front-channel SLO. See Okta Knowledge Base.

    Enter the following information:

    • Request URL — The location where Okta sends the logout request for this app.
    • User session details — Optional. Allows you to restrict the SLO to specific users, based on session information.
  6. Click Save.
  7. To test your SLO flow, sign in to your SP application using the Okta integration, and then use the appropriate sign out method from within the SP application. The browser should sign you out of both your SP application and Okta.