Universal Logout revocations
This topic describes which cookies and tokens Universal Logout revokes when you configure Post Auth Session or the Entity risk policy to sign users out of Okta, their apps, or both.
Okta artifacts for SaaS and Okta apps
This table lists the artifacts that Okta issues to Software as a Service (SaaS) and Okta apps and the circumstances in which Universal Logout clears them.
Each app manages the cookies and tokens that it issues. See the documentation for an app for information on its cookies and tokens. See Universal Logout for a list of supported apps.
|
Artifact
|
Admin-initiated clear user session |
Entity risk policy violation
|
Global session policy violation*
|
Authentication policy violation**
|
|---|---|---|---|---|
| Session cookies | ● | ● | ● | ● |
| Refresh tokens | ● | ● | ● | ● |
| Access tokens | ● | ● | ● | ● |
| ID tokens | ● | ● | ● | ● |
* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.
** — If an app triggers an authentication policy failure, Okta revokes only its cookies and tokens.
Okta user session management tokens
This table lists the tokens that Okta issues for its own session management, password resets, and account unlocking and the circumstances in which Universal Logout clears them.
|
Artifact
|
Admin-initiated clear user session |
Entity risk policy violation
|
Global session policy violation*
|
Authentication policy violation
|
|---|---|---|---|---|
| State tokens | ● | ● | ● | |
| Password reset tokens | ● | ● | ● | |
| Account unlock tokens | ● | ● | ● |
* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.
Okta artifacts for on-behalf-of-user scenarios
This table lists the artifacts that Okta issues on behalf of the user to authenticate in other systems and the circumstances in which Universal Logout clears them.
|
Artifact
|
Admin-initiated clear user session |
Entity risk policy violation
|
Global session policy violation*
|
Authentication policy violation
|
|---|---|---|---|---|
| Custom authorization servers | ||||
| SSWS tokens (API tokens) | ● | ● |
* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.