authentik now supports Single Logout (SLO)
authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source project.
Starting with version 2025.10, authentik supports both SAML single logout and OpenID Connect (OIDC) front-channel logout and back-channel logout.
This means that when you terminate a session in authentik, it sends logout requests to all properly configured applications, ending sessions everywhere.
While SAML single logout has existed for years, OIDC logout specifications are newer, and back-channel logout in particular isn't yet widely adopted by many applications (service providers/relying parties) or other Identity Providers. Even the long supported SAML single logout usually only has front-channel support by applications and IdPs.
What is single logout?
Single logout (SLO) is the natural complement to single sign-on. With single sign-on, once you authenticate to authentik, you can automatically access all other applications that use authentik as an identity provider. With single logout, once you log out of authentik, you're automatically logged out of all properly configured applications that you accessed through authentik.
Single logout works by leveraging the SAML protocol's single logout service URL and OIDC's front-channel and back-channel URLs specified in the spec. When a request is sent via the IdP to the application's configured logout URL, the application terminates the user's session.
Without single logout, when a user logs out of an IdP, their sessions stay active with every application they logged into, meaning either:
-
The user will have to manually visit each application and log out.
-
An administrator will have to visit each application manually and log out the user for them.
-
The user will end up leaving a plethora of orphaned accounts that may be vulnerable to being hijacked.