← All terms
Single Logout (SLO)

What is Single Logout (SLO)?

Single logout (SLO) ends a user's sessions across all connected applications at once when they sign out, closing the gap SSO leaves open.

Last updated: 15 July 2026

How single logout works

Single sign-on creates a web of sessions: one at the identity provider and one local session in each application the user opened. Signing out of a single application normally ends only that local session; the others keep running. Single logout coordinates the teardown, so one logout action terminates the IdP session and notifies every participating application to end theirs.

The mechanics depend on the protocol. SAML defines logout requests and responses exchanged through the browser or directly between servers. OpenID Connect offers several mechanisms: front-channel logout, where the browser loads a logout URL for each client; back-channel logout, where the IdP sends signed logout tokens server to server; and RP-initiated logout, where an application asks the IdP to end the central session. Back-channel logout is the most reliable because it does not depend on the browser state.

Why single logout matters

Sessions left alive after a user believes they signed out are a real risk on shared and public computers, in kiosk scenarios, and during offboarding. An attacker or the next person at the keyboard inherits authenticated access to every application whose session survived. SLO makes the user's mental model, that logging out means logged out everywhere, actually true.

It also matters for incident response. When an account is suspected compromised, security teams need a way to revoke every active session immediately, not just the central one. Coordinated logout combined with short session lifetimes limits how long a stolen session remains useful.

Single logout in practice

SLO is notoriously harder to get right than SSO, because it depends on every application implementing its side of the logout exchange. Front-channel approaches break when browsers block third-party cookies or a tab is closed mid-flow, so prefer back-channel logout where applications support it, and treat front-channel as best effort.

A pragmatic architecture combines several layers: coordinated logout for applications that support it, short access token lifetimes so orphaned sessions expire quickly, and an administrative kill switch that revokes refresh tokens and IdP sessions centrally. Monosign acts as SAML and OIDC identity provider with centralized session policies, giving administrators a single point to terminate a user's sessions across connected applications.

Frequently asked questions

Why am I still signed in to some apps after logging out?
Logging out of one application or even the identity provider does not automatically end local sessions in other applications unless they participate in single logout. Applications that skipped the SLO integration, or front-channel flows blocked by the browser, leave those sessions alive until they expire.
What is the difference between front-channel and back-channel logout?
Front-channel logout runs through the user's browser, which loads a logout endpoint for each application; it is simple but fragile when cookies are blocked or the browser closes. Back-channel logout is a direct server-to-server notification with a signed logout token, so it works regardless of browser state.