You are here:
Single Logout Control
Configure Single Logout on applicable user cases for connections with external applications or identity providers.
Salesforce Single Logout is a security configuration that ensures a user's session is terminated across all connected applications simultaneously. Without SLO, logging out of Salesforce might leave other integrated apps active, creating a significant security gap.
Salesforce supports SLO through two primary protocols: SAML and OpenID Connect (OIDC). The settings available depend on whether Salesforce is acting as the Identity Provider (IdP) or the Service Provider (SP).
Security Health Review provides information whether your Salesforce instance is configured for Single Logout using configuration signals aligned with Salesforce-recommended best practices and highlights gaps that present the highest security and business risk.
Control Name
Single Logout
Recommended Configuration
Configure, validate, and regularly review Salesforce Single Logout setup to make sure that they are correctly configured for each of the applicable use cases in the company, where Salesforce is the Service Provider, Relying Party, or Identity Provider.
Control Overview
Configure Single Logout on applicable user cases for connections with external applications or identity providers.
Security Risk If Not Configured
An open active orphan session, which can lead to session hijacking from a lateral movement between applications by a threat actor to access sensitive data without needing an authentication.
Threat Scenarios
If a user forgets to log out of every app individually, an attacker can use an active "orphan" session to access sensitive data without needing an authentication, using the session.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Risk severity depends on the user population size and access privileges granted upon login.
Higher Risk When
Session is not configured with session controls to limit session, which include:
- Ineffective Session Timeout Policy
- Overly Permissive Access Scope
- Overly Permission Login IP Restriction
Low or No Risk When
This control can be considered low risk when one or more of the following are implemented:
- Periodic Review of Service Providers: Review of applications connected to Salesforce as Service Providers and understand the risks.
- Certificate Management: Periodically review the certificate used to enable your org to communicate with the service provider, use trusted CA for certificate.
- Forced Authentication Configured: Ensuring users who are already logged in to Salesforce to reenter their credentials when they try to access the service provider..
- Login timeout: Automatically log users out of the service provider when they log out of Salesforce.
- MFA Enforcement: MFA is enforced for Salesforce users
- IP Login Restriction: IP Login restriction for users based on profiles
Business and Integration Considerations
Customers should evaluate business justification for external connected apps that require continuous connection in alignment with access policies, regulatory requirements, and user experience expectations.
Recommended Remediation
Review all configured Service Provider and Identity Provider setup, configure single logout or rotate the credentials periodically.
Security Health Review Guidance
Security Health Review identifies Single Logout configured in Salesforce to help customers reduce identity federation risk, and prevent unauthorized access with Salesforce-recommended security baselines and Zero Trust principles.
See Also
- Use Your SSO Identity Provider’s MFA Service for Salesforce Orgs
- Configure SAML Single Logout with Salesforce as the Service Provider
- Configure OpenID Connect Single Logout with Salesforce as the Relying Party
- Configure SAML Single Logout with Salesforce as the Identity Provider
- Configure OpenID Connect Single Logout with Salesforce as the OpenID Connect Provider
