Universal Logout

Early Access release

Universal Logout lets you terminate users’ sessions and their tokens for supported apps when Identity Threat Protection identifies a change in risk.

A user session is the time during which a user is authenticated and authorized to access apps secured by Okta. An app session refers to sessions that an app generates to allow users to access the app’s resources.

You can add Universal Logout actions as a response to Continuous Access and Entity risk policy evaluations. See Continuous Access evaluation and Entity risk policy. You can also manually end a user session from the user risk profile. See End a user session.

Supported apps

The following apps support Universal Logout.

Okta apps

  • Admin Console
  • End-User Dashboard
  • End-User Settings

Third-party apps

  • Box
  • Dropbox for Business
  • Google Workspace
  • Microsoft 365: These apps only provide partial logout. They only revoke refresh tokens. User sessions aren’t terminated until the user’s existing access tokens expire or the user signs out. The token expiration timeout is different for each app. See Revoke user access in Microsoft Entra ID.
  • PagerDuty
  • Salesforce
  • Slack: You can only enable Universal Logout for Slack Enterprise’s Slack account.
  • Zendesk
  • Zoom

Unsupported Okta apps

Universal Logout isn't available for the following Okta applications:

  • Access Gateway
  • Access Requests
  • End-User Plugins
  • Identity Governance
  • Privileged Access
  • Workflows