Enabling Single Logout (SLO) on Sprinklr
Updated
Single Logout (SLO) is a security feature in Single Sign-On (SSO) systems that ensures your session is terminated across all connected applications and services when you log out of one. By enabling SLO, organizations streamline session management and reduce the risk of unauthorized access, as you're automatically logged out of every application tied to the SSO provider once you sign out of the Identity Provider (IdP). This eliminates the need for you to manually log out of each service individually, enhancing both security and convenience. SLO ensures you're logged out of all apps like Sprinklr that are tied to the SSO session when you log out of the SSO—and vice versa.
Typical Single Logout Flow
Image Legend:
SP = Service Provider (ex- Sprinklr where the user would want to login via SSO)
IdP = Identity Provider (ex- Okta, Azure AD etc.)
How to Setup Single Logout (SLO) in Sprinklr?
This guide explains how to enable Single Logout (SLO) on the Sprinklr side after configuring your Identity Provider (IDP). SLO ensures users are logged out of Sprinklr when they log out of your IDP, creating a seamless and secure session management experience.
Prerequisites
1. SSO is already configured between your IDP (e.g., Okta, Azure AD) and Sprinklr.
2. Single Logout (SLO) feature is enabled in your Sprinklr environment – please raise a support ticket to enable it
3. Single Logout (SLO) is configured on your IDP with the correct Sprinklr SLO endpoint: https://{prefix-of-domain}.sprinklr.com/logout
a. Example: https://acme.sprinklr.com/logout
4. Access to Single Sign-Ons configuration in Sprinklr Settings.
Step 1: Enable Single Logout in Sprinklr
1. Log in to Sprinklr as a Global Admin.
2. Navigate to All Settings > Manage Customer > Single Sign-Ons.
3. Locate your existing SSO configuration (e.g., "Company SSO") and click Edit.
4. Within the SSO edit screen, find the checkbox Do you want to enable Single Logout? Click on the checkbox and enter the Single Logout URL and select the Single Logout Request Binding Method (HTTP Post/HTTP Redirect) as per your configuration.
5. Save the configuration to apply the changes.
Notes:
If you can’t find the checkbox for SAML 2.0 SSO, then SLO is not enabled in your environment. Please raise a support ticket to enable it.
Currently, we don’t support SLO for Open ID Connect SSO type.
Step 2: Validate SLO Integration
1. Test IDP-Initiated Logout:
Log into Sprinklr via your IDP.
Log out of your IDP’s portal.
Attempt to access Sprinklr again. You should be redirected to the login page.
2. Test SP-Initiated Logout:
Log into Sprinklr.
Click Logout in Sprinklr.
Verify that you are logged out of both Sprinklr and your IDP (if IDP supports SP-initiated SLO).
Note: Sprinklr supports Single Logout only for SAML 2.0 SSO type and not OpenID Connect.
Need Help?
Contact Sprinklr Support at tickets@sprinklr.com for troubleshooting.
Related Articles