Configure Universal Logout

Advanced Universal Logout options are available through Identity Threat Protection with Okta AI. If your org has ITP enabled, refer to Universal Logout instead.

In orgs with only AMFA enabled, Universal Logout can only be triggered manually from the Admin Console, with a rate limit.

You can manually revoke a user's identity provider (IdP) sessions and refresh tokens by clearing their sessions.

  1. In the Admin Console, go to DirectoryPeople.

  2. Select a user from the People & username column.
  3. Click More Actions, and then select Clear user sessions. The Clear sessions and revoke tokens dialog opens.
  4. Select Also include logout enabled apps and Okta API tokens to invoke Universal Logout for the user.

    If you don't select this checkbox, Okta revokes the OpenID Connect and OAuth refresh and access tokens that were issued to the user and clears all active IdP sessions. The user must then authenticate the next time they sign in.

  5. Click Clear and revoke.

The Clear sessions and revoke tokens dialog in the Admin Console

Related topics

Universal Logout revocations

Universal Logout

Configure Universal Logout for supported apps