Configure Universal Logout for generic SAML and OIDC apps
Early Access release. See Enable self-service features.
Universal Logout lets you terminate users' sessions in generic Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) apps.
Your SAML or OIDC app must support the Global Token Revocation specification and the Signed JSON web token (JWT) method. If the app doesn't support Signed JWT, then API authentication and Universal Logout fail. See Global Token Revocation and Endpoint authentication.
Start this procedure
Universal Logout settings are visible after you configure the app. Follow these steps for both SAML and OIDC apps:
- In the Admin Console, go to .
- Select an app that supports Universal Logout.
- On the app's page, select the Authentication tab.
- In the Logout section, click Edit.
- Under Global Token Revocation, select Okta system or admin initiates logout.
- In the Logout endpoint URL section, enter the app's logout API Endpoint. This endpoint must support the Global Token Revocation specification.
- By default, Endpoint authentication type is set to Signed JWT.
- Select either Issuer and Subject Identifier or Email Identifier for the Subject format type.
- Click Save.