Key Elements and Limitations of Single Logout (SLO) in OIDC Applications
Oct 16, 2025
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview
The Single Logout (SLO) feature allows a user to sign out of an SLO participating app on their device and end their Okta session. However, it does not facilitate the automatic log-out from other active OIDC apps. This article aims to enlighten users about some crucial points and limitations of SLO with Okta.
Applies To
- Single Logout (SLO)
- OIDC Apps
- Okta Identity Engine
Cause
Solution
Considering that multiple OIDC apps are running, all of which are participating in SLO, and the login is initiated from one of these apps, this app will get logged out, and Okta will make calls to the SLO endpoints of the remaining apps.
For example - Consider that there are 3 OIDC apps with the following config:
| App Name | Domain | SLO Endpoint |
| A | http://localhost:8080 | http://localhost:8080/slo/logout |
| B | http://localhost:8081 | http://localhost:8081/slo/logout |
| C | http://localhost:8082 | http://localhost:8082/slo/logout |
- A user has logged in to all the applications, and then it initiates the logout from App A.
- The logout and revoke endpoints are hit and the user is logged out from App A.
- Okta determines that Apps B and C were also part of Okta Session app A, and Okta initiates the logout request (at their SLO Endpoint) to the apps B and C in an embedded IFrame that is invisible to the user.
- The important thing to note is that the apps will not be automatically logged out. It is the app's responsibility to be able to 'listen' when these endpoints are hit and then subsequently log the user out of the app.
Related References
- Okta recommends visiting the Configure Single Logout documentation to learn more about the Single Logout process for a more thorough understanding of SLO.
