Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth Access Policies - Enable Single Logout Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            OAuth Access Policies - Enable Single Logout Control

            Ensures that logging out of one application automatically terminates all associated sessions across the federated identity ecosystem for that connected app.

            Control Name

            OAuth Access Policies - Enable Single Logout

            Control Overview

            Ensures that logging out of one application automatically terminates all associated sessions across the federated identity ecosystem for that connected app.

            Description

            Configures Salesforce to send and receive logout requests (via SAML or OIDC) to synchronize session termination across different active sessions for the underlying connected app.

            Recommended Configuration

            Enable "Single Logout" in the Connected App settings. Provide a valid Single Logout URL and make sure that the SAML Signing Certificate is shared to validate the authenticity of logout requests.

            Security Impact

            Closes the orphaned session window where a user believes that they have exited the system but remains logged in to downstream or upstream applications.

            Business Impact

            Streamlines the user experience by removing the need for manual logout from multiple tabs and ensures compliance with data privacy standards (for example, GDPR/HIPAA) regarding session destruction.

            Security Risk If Not Configured

            Lack of single logout enables unauthorized users to hijack still-active sessions on shared hardware or public terminals after the primary user has logged out of Salesforce from other active sessions.

            Threat Scenarios

            Session Hijacking: An attacker uses an open session on a public computer. Insufficient Session Expiration: A user logs out of the IdP but the Salesforce session remains valid for hours.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Risk is amplified in environments with shared workstations where multiple users access the same physical hardware, or environments where inactive session lockout configuration is not enforced.

            Higher Risk When

            Inactive session lockout configuration is not enabled, or the Single Logout URL is missing/incorrect, leading to ghost sessions that persist until the timeout period expires.

            Low Risk When

            Logging out of the IdP triggers a successful LogoutRequest to Salesforce and all other connected service providers.

            Business and Integration Considerations

            Requires coordination with business users to ensure that there are no implications of logging out users from all sessions for the connected app causing disruption to daily activities.

            Security Health Review Guidance

            Security Health Review identifies Enable Single Lockout configuration enforced at your Salesforce organization.

            Who Is Impacted

            Internal employees, administrators, developers, and workforce users accessing connected applications through Salesforce directly.

             
            Loading
            Salesforce Help | Article