Universal Logout revocations

This topic describes which cookies and tokens Universal Logout revokes when you configure Post Auth Session or the Entity risk policy to sign users out of Okta, their apps, or both.

Okta artifacts for SaaS and Okta apps

This table lists the artifacts that Okta issues to Software as a Service (SaaS) and Okta apps and the circumstances in which Universal Logout clears them.

Each app manages the cookies and tokens that it issues. See the documentation for an app for information on its cookies and tokens. See Universal Logout for a list of supported apps.

Artifact

Admin-initiated clear user session

Entity risk policy violation
Global session policy violation*
Authentication policy violation**
Session cookies
Refresh tokens
Access tokens
ID tokens

* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.

** — If an app triggers an authentication policy failure, Okta revokes only its cookies and tokens.

Okta user session management tokens

This table lists the tokens that Okta issues for its own session management, password resets, and account unlocking and the circumstances in which Universal Logout clears them.

Artifact

Admin-initiated clear user session

Entity risk policy violation
Global session policy violation*
Authentication policy violation
State tokens
Password reset tokens
Account unlock tokens

* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.

Okta artifacts for on-behalf-of-user scenarios

This table lists the artifacts that Okta issues on behalf of the user to authenticate in other systems and the circumstances in which Universal Logout clears them.

Artifact

Admin-initiated clear user session

Entity risk policy violation
Global session policy violation*
Authentication policy violation
Custom authorization servers
SSWS tokens (API tokens)

* — If a user is signed in to Okta on two or more devices, Okta revokes only cookies and tokens for the session on the device where the global session policy violation occurred.

Related topics

Universal Logout

Configure Universal Logout for supported apps

Manual remediation actions for Identity Threat Protection