Configure Universal Logout for supported apps

Universal Logout lets you terminate users' sessions and their tokens for supported Okta Integration Network (OIN), generic Security Assertion Markup Language (SAML), and OpenID Connect (OIDC) apps.

First, configure your OIN, SAML, or OIDC apps to work with Universal Logout. Then you can configure policies in Identity Threat Protection to trigger Universal Logout when it identifies a change in risk conditions. You can also end a user session manually from the user risk profile.

See Universal Logout supported apps.

Configure Universal Logout for OIN apps

Do this procedure in an app that you've already integrated. To integrate an app, see Add existing app integrations, and then return to this procedure.

Before you begin, verify that you've fulfilled these requirements:

• Ensure that your admin role has permission to manage apps. See the Application management section in Standard administrator roles and permissions.
• Ensure that the app that you want to configure supports Universal Logout.
• Verify that you have a service account with the security provider for the app that you want to configure.
• Obtain the credentials that you need to connect Okta to the app.

Start this procedure

1. In the Admin Console, go to ApplicationsApplications.
2. Select an app that supports Universal Logout. See Universal Logout .
3. On the app's page, select the Authentication tab.
4. In the Logout section, click Edit.
5. Select Okta system or admin initiates logout.
6. In the API configuration for logout section, enter your admin credentials for the app. The names of these fields are different for each vendor.
7. Click Connect account, and then complete the app configuration in the pop-up window that appears.
8. Click Save.

Configure Universal Logout for generic SAML and OIDC apps

Early Access release. See Enable self-service features.

You can configure Universal Logout to terminate user sessions in generic SAML and OIDC apps.

Your SAML or OIDC app must support the Global Token Revocation specification and the Signed JSON web token (JWT) method. If the app doesn't support Signed JWT, then API authentication and Universal Logout fail. See Global Token Revocation and Endpoint authentication.

Universal Logout doesn't work with custom SAML and OIDC apps if you've enabled Federation Broker Mode. Use explicit user assignments instead.

Start this procedure

Universal Logout settings are visible after you configure the app. Follow these steps for both SAML and OIDC apps:

1. In the Admin Console, go to ApplicationsApplications.
2. Select an app that supports Universal Logout. See Universal Logout .
3. On the app's page, select the Authentication tab.
4. In the Logout section, click Edit.
5. Under Global Token Revocation, select Okta system or admin initiates logout.
6. In the Logout endpoint URL section, enter the app's logout API Endpoint. This endpoint must support the Global Token Revocation specification.
7. By default, Endpoint authentication type is set to Signed JWT.
8. For the Subject format type, select either Issuer and Subject Identifier or Email Identifier.
9. Click Save.

Configure Universal Logout in Identity Threat Protection

Configure Universal Logout to work with your app. Then you can configure the post auth session and entity risk policies to trigger Universal Logout when Identity Threat Protection identifies a change in risk. See these topics:

• Enforce post auth session evaluation policy
• Entity risk policy

End a user session from the user risk profile

You can manually end a user session from the user risk profile. See End a user session.

Related topics

Universal Logout

Universal Logout revocations

Manual remediation actions for Identity Threat Protection