Configure OpenID Connect Single Logout with Salesforce as the OpenID Connect Provider
Configure single logout (SLO) for an existing connected app acting as the OpenID Connect relying party. With OpenID Connect SLO, users can log out of either Salesforce or the relying party to log out of both of them.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
Before you configure OpenID Connect SLO, review this information.
- Confirm that the relying party supports OpenID Connect SLO.
- Salesforce currently supports front-channel SLO only, meaning that SLO redirects must occur in the same browser. Salesforce doesn’t support SLO across different browsers.
- After the initial creation of the connected app, changes to the SLO configuration for the connected app edit page don’t automatically propagate to the Manage Connected Apps page.
- When users initiate SLO from Salesforce, the redirect to the login page is delayed for about 10 seconds. This delay ensures that the user is also logged out of the relying party.
These steps edit an existing connected app. The fields described in the steps are the same whether you create or manage a connected app.
- In Setup, in the Quick Find box, enter apps, and then select Manage Connected Apps.
- Next to the connected app that you want to configure for SLO, click Edit.
- Under OAuth Policies, select Enable Single Logout.
- For Single Logout URL, enter the OpenID Connect SLO endpoint of the connected app’s relying party. This endpoint is where Salesforce sends a logout request when users log out of Salesforce. The relying party provides you with this endpoint. The Single Logout URL must be an absolute URL and start with https://.
- To control where users are redirected after they successfully log out, configure logout
page settings.
- For an org, set the logout page URL in your Session Settings. This URL applies to your entire org, not just the connected app. If you don’t set a logout page URL, users are redirected to your My Domain login page when they log out.
- For an Experience Cloud site, set the logout page URL in the site’s Login & Registration settings. If you don’t set a logout page URL, users are redirected to the site login page when they log out.
- Provide the relying party with the OpenID Connect provider SLO endpoint for your Salesforce org. The relying party uses this endpoint to initiate SLO. The endpoint has the format https://MyDomainName.my.salesforce.com/services/auth/idp/oidc/logout where MyDomainName is your Salesforce domain. You can also find this endpoint using the OpenID Connect Discovery Endpoint.
