authentik now supports Single Logout (SLO)
authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source project.
Starting with version 2025.10, authentik supports both SAML single logout and OpenID Connect (OIDC) front-channel logout and back-channel logout.
This means that when you terminate a session in authentik, it sends logout requests to all properly configured applications, ending sessions everywhere.
While SAML single logout has existed for years, OIDC logout specifications are newer, and back-channel logout in particular isn't yet widely adopted by many applications (service providers/relying parties) or other Identity Providers. Even the long supported SAML single logout usually only has front-channel support by applications and IdPs.
What is single logout?
Single logout (SLO) is the natural complement to single sign-on. With single sign-on, once you authenticate to authentik, you can automatically access all other applications that use authentik as an identity provider. With single logout, once you log out of authentik, you're automatically logged out of all properly configured applications that you accessed through authentik.
Single logout works by leveraging the SAML protocol's single logout service URL and OIDC's front-channel and back-channel URLs specified in the spec. When a request is sent via the IdP to the application's configured logout URL, the application terminates the user's session.
Without single logout, when a user logs out of an IdP, their sessions stay active with every application they logged into, meaning either:
-
The user will have to manually visit each application and log out.
-
An administrator will have to visit each application manually and log out the user for them.
-
The user will end up leaving a plethora of orphaned accounts that may be vulnerable to being hijacked.
Why would I need single logout?
Single logout can be helpful for users using shared devices, preventing abandoned session hijacking, and meeting certain compliance standards. For example, let's say an employee is using a shared computer to log into an IdP. They use the IdP to log into their email, update some internal documentation, and send some co-workers messages. After their work is done, they log out of their IdP. Without single logout, this user would have to go to each application they logged into and manually log out, which they may forget to do. If the sessions aren't manually terminated, a malicious actor can walk up to the computer and begin using their still active email and messaging sessions.
Front-channel and back-channel logout
Sending logout requests to applications can happen through either front-channel or back-channel communication.
Front-channel logout operates through the user's browser. The IdP loads up multiple iframes that send logout requests to each application the user is logged into. In authentik, we offer iframe based logout, along with a native logout alternative that uses the browser directly in order to keep compatability with older SAML applications.
Back-channel logout uses direct server-to-server communication. The IdP's server sends logout requests directly to each application's logout endpoint, independent of the user's browser state. This method is more reliable and works even when the user's browser is closed, which is critical for administrative session termination. However, it requires applications to support back-channel single logout, which is less common than supporting front-channel logout.
Whenever possible, it's best to use back-channel logout over front-channel logout. OIDC front-channel logout and back-channel logout are both fairly new, with back-channel OIDC logout being even newer, so very few applications use it. But back-channel logout is less prone to browser-based errors and gives admins more control over user's application logouts.
How do other Identity Providers handle single logout?
It is not uncommon for some IdPs to have no single logout support at all. Many IdPs that do support SLO, such as Duo, often only support front-channel logout. However, we feel at authentik that supporting back-channel logout is important, because not having to rely on the browser can better guarantee that sessions are properly terminated. The OIDC back-channel logout spec was only released a couple years ago, meaning not a lot of applications and identity providers have had time to fully implement it yet. Even some of the legacy players like Okta are yet to add support for OIDC back-channel logout, opting instead to make their own protocol as a replacement and trying to get applications to adopt it instead of using an existing open standard.
| Provider | SAML SLO | OIDC Front-channel | OIDC Back-channel |
|---|---|---|---|
| authentik | ✅ Full support | ✅ Supported | ✅ Supported |
| Authelia | ❌ Not supported | ❌ Not supported | ❌ Not supported |
| Duo | ⚠️ Limited support | ✅ Supported | ❌ Not supported |
| Okta | ⚠️ Limited support | ✅ Supported | ❌ Not supported |
| Keycloak | ✅ Full support | ✅ Supported | ✅ Supported |
*Full support = (Redirect/POST, front/back-channel)
Keep calm and log out everywhere
By supporting front-channel and back-channel for both SAML and OIDC, we are aiming to give the best experience possible for users — and including these security capabilities as part of our free, open source offer for all users, rather than charging separately for this functionality. Although most applications only support front-channel logout, we are adopting newer standards like OIDC back-channel logout early, hoping to see more applications support it for its better user experience and reliability. We want to give you all the options now — front-channel logout so you can get started and back-channel logout so you can be ready for the future. For detailed configuration information and troubleshooting, refer to our documentation: