This article presents the correct method to perform a Universal Logout (ULO) using Okta Workflows.
It also clarifies the difference between simply clearing a user's Okta session and performing a comprehensive ULO, which terminates sessions across multiple applications.
- Okta Workflows
- Universal Logout (ULO)
- Identity Threat Protection
- Okta Identity Engine (OIE)
An incorrect implementation may use the Clear User Sessions card in an Okta Workflow. This action is triggered by calling the following Application Programming Interface (API) endpoint:
/api/v1/users/<USERID>/sessions?oauthTokens=trueThe function of the Okta Clear User Sessions card is limited to clearing only the Okta user session, which does not constitute a full Universal Logout.
A true Universal Logout (ULO) is triggered automatically by Okta Identity Threat Protection (ITP) in response to a threat or manually from the Admin Console.
- The manual action, Clear active sessions for apps with logout enabled, performs a global token revocation for a more comprehensive session termination. For more information, see End a user's sessions manually.
- This manual action calls the following API endpoint:
/oauth2/v1/global-token-revocation
To implement the equivalent (ULO) correctly in a workflow, instead of using the Clear User Sessions card, use the card corresponding to the Global Token Revocation endpoint. The appropriate action is the Global Token Revocation card, found in the Okta ITP connector, as detailed in the Workflows connector reference.
To correct the workflow, perform the following steps:
- In the Okta Workflow, remove the Clear User Sessions card if present.
- Add the Global Token Revocation card, which is part of the Okta ITP connector.
- Map the User ID from the preceding step into the User ID field of the Global Token Revocation card.
- Select Save and ensure the flow is active.
