Enable Single Logout for an identity provider

Early Access release

Single Logout (SLO) allows users to sign out of both their Okta session and their identity provider (IdP) with a single action. When SLO is enabled, users who sign out of logout-initiating apps or Okta will be automatically signed out of their IdP.

You can enable SLO for both SAML 2.0 and OIDC IdPs.

If you're using an Okta org as an IdP, see Enable SLO for an Okta IdP.

Enable SLO for a SAML 2.0 IdP

In the Admin Console, go to SecurityIdentity Providers.
Find the IdP that you want to enable SLO for, and then click Actions > Configure Identity Provider.
In the General Settings section, click Edit.
In the Logout section, select User logs out of other logout-initiating apps or Okta.
In the Logout endpoint URL field, enter the IdP endpoint that Okta will send app-initiated logout requests to.
In the Logout request binding section, select either HTTP POST or HTTP REDIRECT.
Click Update Identity Provider.

Enable SLO for an OIDC IdP

In the Admin Console, go to SecurityIdentity Providers.
Find the IdP that you want to enable SLO for, and then click Actions > Configure Identity Provider.
In the General Settings section, click Edit.
In the Logout section, select User logs out of other logout-initiating apps or Okta.
In the Logout endpoint URL field, enter the IdP endpoint that Okta will send app-initiated logout requests to.
Click Update Identity Provider.

Enable SLO for an Okta IdP

If you're using an Okta org as an IdP, follow the steps in this section to configure Single Logout (SLO).

Before you begin

You must have two Okta orgs:

Okta Identity Provider org: Acts as the IdP in the federation flow.
Okta service provider org: Acts as the Service Provider (SP) in the federation flow.

In both orgs, you must enable Front-channel Single Logout and Front Channel SLO for IdPs in Settings > Features.

Enable SLO for a SAML Okta IdP

Sign in to your Okta IdP org.
1. Open the Admin Console and go to Applications > Applications.
2. Click Create App Integration and select SAML 2.0.
3. Follow the steps in Create SAML app integrations and ensure the Attributes Statements (see Define attribute statements) section has the following values:
  - Name: 'email'
  - Name format: unspecified
  - Value: user.email
4. After you've created the app, go to the Sign On tab and copy the value of Single Logout URL (app/{app}/{key}/slo/saml).
Sign in to your Okta SP org.
1. Go to Security > Identity Providers.
2. Click the SAML Okta IdP.
3. In the Logout section, select User logs out of other logout-initiating apps or Okta.
4. In the Logout endpoint URL field, enter the Single Logout URL from your SAML app in your Okta IdP org.
5. In the Logout request binding section, select either HTTP POST or HTTP REDIRECT.
6. Click Update Identity Provider.
Return to your Okta IdP org.
1. In the Okta SAML app, click When app initiates logout.
2. Set Response URL to the Org URL for Okta SP Org. For example: htttps://subdomain.okta.com.
3. Set SP Issuer to the Audience URI value from the SAML Settings section of your custom Okta SAML app.
4. Go to Directory > Profile Editor.
5. Select the Okta user.
6. Select First Name, and then clear Attribute Required.
7. Select Last Name, and then clear Attribute Required.

Enable SLO for an OIDC Okta IdP

To enable SLO for an OIDC Okta IdP:

In your browser, navigate to {okta-idp-org-url}/.well-known/openid-configuration.
Copy the end_session_endpoint value.
In your Okta SP org, go to Security > Identity Providers.
Find the OIDC Okta IdP that you want to enable SLO for, and then click Actions > Configure Identity Provider.
In the General Settings section, click Edit.
In the Logout section, select User logs out of other logout-initiating apps or Okta.
In the Logout endpoint URL field, enter the end_session_endpoint from step two.
Click Update Identity Provider.