What is SAML single logout?
SAML (Security Assertion Markup Language) is a protocol used for single sign-on (SSO) and forms the foundation for single logout which extends SAML's capabilities to session termination across apps.
SAML single logout lets users log out from both the Atlassian application and the identity provider (IdP) with a single action. When a user logs out from an Atlassian application, such as Jira, they also log out of their session with the identity provider (such as Okta or Microsoft Entra). This process does not log the user out of other non-Atlassian apps that use the same IdP.
Single logout provides the following security and usability benefits:
Prevents unauthorized access to data in Atlassian apps.
Users don’t have to remember to log out from every app individually.
How single logout works at Atlassian
When you configure single logout, here’s how it works with Atlassian apps:
A user logs into Atlassian using a supported identity provider (such as Okta or Microsoft Entra) and accesses these apps:
Jira
Confluence
Bitbucket
When the user logs out of Jira, Jira initiates the logout process:
Jira notifies the identity provider (IdP) that the user has logged out.
The identity provider ends the user session on that side.
The identity provider sends a confirmation back to Atlassian that the user has been logged out from the IdP.
The user is now logged out of Jira and their identity provider session. Without single logout, the user would remain logged into the other apps unless they manually log out from each one.
Single logout available for Okta and Microsoft Entra identity providers
Atlassian supports app-initiated SAML single logout for both Okta and Microsoft Entra identity providers. Learn how to set these up:
When you enable single logout, we automatically log out users from the Atlassian app and the identity provider.
Was this helpful?