Universal Logout

Universal Logout lets you terminate users' sessions and their tokens for supported apps when Identity Threat Protection identifies a change in risk.

A user session is the time during which a user is authenticated and authorized to access apps secured by Okta. An app session refers to sessions that an app generates to allow users to access the app's resources.

You can add Universal Logout actions as a response to Post Auth Session and Entity risk policy evaluations. See Post auth session evaluation with Identity Threat Protection and Entity risk policy. You can also manually end a user session from the user risk profile. See End a user session.

Supported apps

The following apps support Universal Logout.

Okta apps

These apps share an identity stack. The user is signed out of all of these apps when Universal Logout is triggered for any of them.

• Admin Console
• End-User Dashboard
• End-User Settings
• Okta Browser Plugin: When Universal Logout is triggered for this app, the app list appears in the plugin, but users have to reauthenticate if they want to access these apps.

Third-party apps

The permissions required, implementation requirements, and Universal Logout behaviors are different for each of these apps.

• Box: See Create jobs to terminate users session.
• Dropbox for Business: See /devices/list_member_devices and /devices/revoke_device_session_batch.
• Google Workspace and Google Cloud Platform: These apps share an identity stack. If a user has access to both of these apps, they're signed out of both apps when Universal Logout is triggered for Google Workspace. See Method: users.signOut.
• Microsoft 365, Defender for Cloud Apps, Defender for Endpoint, Defender for Office 365, and Azure Portal: These apps share an identity stack and only provide a partial Universal Logout. Universal Logout only revokes their refresh tokens. User sessions aren't terminated until the user's existing access tokens expire or the user signs out. The token expiration timeout is different for each app. See Revoke user access in Microsoft Entra ID.
• PagerDuty: See Delete a user's session.
• Salesforce: See AuthSession.
• Slack: You can only enable Universal Logout for Slack Enterprise's Slack account. See admin.users.session.reset.
• Surf: This product suspends a user when Universal Logout is triggered. To unsuspend a user, restore the session through the Surf console or API. Contact Surf for support.
• Zendesk: See Delete Session.
• Zoom: See Revoke a user's SSO token.

Unsupported Okta apps

Universal Logout isn't available for the following Okta applications:

• Access Gateway
• Access Requests
• Identity Governance
• Privileged Access
• Workflows

Topics

• Configure Universal Logout for third-party apps
• Universal Logout revocations