Configure Single Logout in app integrations

Single Logout (SLO) is a feature in federated authentication that allows end users to sign out of both their Okta session and a configured app with a single action.

Okta supports this sign-out process only when initiated by a Service Provider (SP). The SP sends the SLO request to Okta to end the Okta session.

  • SWA apps don't support SLO.
  • Not all app integrations support SLO. If the SP supports SLO in their downstream app, it's noted as a supported feature in their app configuration guide. Contact your SP directly to request that they add support for SLO.

Enable SLO for SAML integrations

If you've enabled Early Access front-channel SLO, this configuration is different. Go to Enable SLO for SAML integrations (with front-channel option).

For SAML apps, the SP must be able to send an SLO request to Okta and it must be signed.

You can use the SAML Application Integration Wizard to configure SLO:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML app where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. On the Configure SAML page, click Show Advanced Settings.
  6. Select Allow application to initiate Single Logout.
  7. Single Logout URL: The URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
  8. SP Issuer: The identifier for the app. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP app.
  9. Signature Certificate: Okta requires a digital signature for the SLO request. You need to upload a copy of the signature certificate or CA that the SP is using to sign the SLO request.
  10. Click Next.
  11. Click Finish.

Finally, you need to retrieve the SLO details needed by your SP app:

  1. In the Sign On settings tab, click View SAML setup instructions.
  2. The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP app.
  3. To test your SLO flow, sign in to your SP app using the Okta integration and then use the appropriate sign-out method from within the SP app. The browser should sign you out of both your SP app and Okta.

Enable SLO for SAML integrations (with front-channel option)

Early Access release. See Enable self-service features.

The SAML SLO configuration provides two options:

  • User is logged out of other participating apps and Okta: This allows an SP app to log out of Okta and any other open apps that support SLO.

  • User logs out of other logout-initiating apps or Okta: This allows the SP app to be logged out automatically when other open apps initiate SLO, using front-channel HTTP requests.

    Too many apps involved in a front-channel SLO transaction can exceed response header limits set by server software such as NGINX. In this case, you may need to update the default server limits or reduce the number of apps configured for front-channel SLO. See Okta Knowledge Base.

    For more information, see Configure Single Logout.

You can choose either or both options in the SAML Application Integration Wizard.

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the SAML app where you want to add SLO.
  3. In the General settings tab, on the SAML Settings panel, click Edit.
  4. In the SAML configuration wizard, click Next.
  5. If a Signature Certificate isn't already present, click Browse files to upload a certificate.
  6. In the Logout section, select either or both options:
    • User is logged out of other participating apps and Okta: Sign the user out of all Single Logout apps and Okta when an app initiates the sign-out action.
      • Response URL: Enter the URL that receives the Single Logout response from Okta.
      • SP Issuer: Enter the service provider identifier for the app. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP app.
    • User logs out of other logout-initiating apps or Okta: Sign the user out of all Single Logout apps and Okta when the user signs out of a Single Logout app or Okta.
      • Logout request URL: Enter the URL where Okta sends the logout request.
      • Request binding: Select the binding type for the logout request URL.
      • User session details: Select Include user session details to end a specific user session instead of all active user sessions.
  7. Click Next.
  8. Click Finish.

Finally, you need to retrieve the SLO IdP details needed by your SP app. In the Sign On settings tab, click View SAML setup instructions.

  • If you configured User is logged out of other participating apps and Okta, copy the Identity Provider Single Logout URL.
  • If you configured User logs out of other logout-initiating apps or Okta, copy the Identity Provider Single Logout Callback URL.

You can verify the URLs in your app configuration on the Sign On tab under More details in the SAML 2.0 section.

Enable SLO for OIDC integrations

For OpenID Connect (OIDC) integrations, the SP app must be configured to send an SLO request to Okta as a GET request. The app should redirect to this Okta endpoint:

GET https://{baseUrl}/logout?id_token_hint=${id_token}&post_logout_redirect_uri=${post_logout_redirect_uri}&state=${state}

Where:

  • baseURL is the URL for your Okta org.
  • id_token is the OIDC token issued by Okta when signing on.
  • Optional. The post_logout_redirect_uri is the Logout redirect URI where Okta redirects the user after the SLO operation. This URI must be listed in the Logout redirect URIs configuration in the General Settings for your Okta integration.
  • Optional. The state is any string to be added as a parameter upon redirect to the SLO URI.

After this request is processed, the id_token is invalidated and the user is signed out from Okta.

For more details on the GET request to the API, see the OpenID Connect & OAuth 2.0 API reference.

For app developers, language-specific instructions are also available in our Sign users out developer guide.

Finally, you need to add the Logout redirect URIs to your Okta integration:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click the OIDC app where you want to add SLO.
  3. In the General settings tab, click Edit.
  4. Optional. In the Logout section, configure any of these options:

    Early Access release. See Enable self-service features.

    This feature isn't supported for native apps. For more information, see Configure Single Logout.

    Too many apps involved in a front-channel SLO transaction can exceed response header limits set by server software such as NGINX. In this case, you may need to update the default server limits if possible or reduce the number of apps configured for front-channel SLO. See Okta Knowledge Base.

    • Logout redirect URIs: Enter the URIs that the app can send in the logout request to Okta. Click Add URI to add another URI.
    • User logs out of other logout-initiating apps or Okta: Sign the user out of all Single Logout apps and Okta when the user signs out of a Single Logout app or Okta.
      • Logout request URL: Enter the URL where Okta sends the logout request.
      • Request binding: Select the binding type for the logout request URL.
      • User session details: Select Include user session details to end a specific user session instead of all active user sessions.
  5. Click Save.
  6. To test your SLO flow, sign in to your SP app using the Okta integration, and then use the appropriate sign out method from within the SP app. The browser should sign you out of both your SP app and Okta.