User Logout stage
The User Logout stage ends the user's session in authentik and, if configured, triggers Single Logout (SLO) for SAML and OIDC providers.
Logout flow injection
authentik dynamically injects logout stages into the user's current logout flow when provider sessions configured for Single Logout are detected:
- The
flow_pre_user_logoutsignal is triggered before the user is logged out - authentik queries for active provider sessions matching the user's authenticated session:
- SAML providers: Queries active SAML sessions for providers with an SLS URL and logout method configured
- OIDC providers: Queries for providers with front-channel or back-channel logout enabled
- For each logout method with active sessions, the appropriate logout stage is injected:
- iframe logout stage: Injected at index 1 (immediately after the logout stage) for front-channel iframe logout
- Native logout stage: Injected at index 2 (after the iframe logout, if present) for front-channel native logout
- Back-channel logout: Executed server-side without injecting additional stages
- The user progresses through these injected stages before logout completes
This approach ensures that single logout happens automatically without requiring explicit flow configuration.