Single Logout
With single logout (SLO), users can log out from the identity provider and the service provider by logging out from either of them. Whether Salesforce is the service provider or identity provider, you can enable SLO with SAML or OpenID Connect. SLO can increase security and save users time by removing manual logout from every individual application.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
See New connected apps can no longer be created in Spring ‘26 for more details.
SLO can be initiated from either the service provider or identity provider. For example, if Salesforce is the identity provider, users can log out from Salesforce to automatically log out of service providers using single sign-on (SSO). Alternatively, users can log out from a service provider to also log out of Salesforce.
To use SLO, identity providers and service providers must be configured for SSO and registered for SLO.
Salesforce currently supports front-channel SLO only, meaning that SLO redirects must occur in the same browser. Salesforce doesn’t support SLO across different browsers. Your users are only logged out of their registered apps if they explicitly log out of an external client app or connected app through a browser. If a browser session expires, users aren’t logged out of the other apps registered for SLO.
Salesforce supports these protocols.
- SAML SLO as an identity provider or service provider
- OpenID Connect SLO as an identity provider or relying party
- Configure SAML Single Logout with Salesforce as the Service Provider
Configure single logout (SLO) for a SAML identity provider. With SAML SLO, users can log out of either Salesforce or the identity provider to log out of both of them. - Configure OpenID Connect Single Logout with Salesforce as the Relying Party
Configure single logout (SLO) for an authentication provider acting as the OpenID Connect provider. With OpenID Connect SLO, users can log out of either Salesforce or the OpenID Connect provider to log out of both of them. - Configure SAML Single Logout with Salesforce as the Identity Provider
Configure single logout (SLO) for a SAML service provider. With SAML SLO, users can log out of either Salesforce or the service provider to log out of both of them. - Configure OpenID Connect Single Logout with Salesforce as the OpenID Connect Provider
Configure single logout (SLO) for an existing connected app acting as the OpenID Connect relying party. With OpenID Connect SLO, users can log out of either Salesforce or the relying party to log out of both of them. - SAML Session Index Support
Salesforce supports session index parameters in requests and responses with SAML single logout (SLO). When a user logs out of a connected app registered for SAML SLO, the session index parameter is required to identify which user session to end.
