# Configuring Single Logout with HarvardKey ## expand\_more If your application offers a signout/logout button and you would like to sign users out of their HarvardKey session in addition to the application session, your application may send a single logout (SLO) call to HarvardKey. Applications must be configured to enable SLO as part of the HarvardKey registration process and should use the standard SLO process for their associated protocol. Generally we recommend sending the SLO call after terminating the local application session. ## For SAML Integrations: 1. As part of the registration process: - Provide a signing certificate (SLO cannot be enabled without this) - If you would like a SAML response sent to the application, provide the custom logout redirect URL to which HarvardKey should send the response 2. To initiate HarvardKey logout: - Call the logout URL provided in the HarvardKey IdP metadata and send the standard SAML logout payload 3. After Okta ends the HarvardKey session, it will redirect the user to a default logout landing page unless you provide a custom logout redirect URL. Each registration can be configured with a single custom logout redirect URL; we are unable to support dynamic logout redirects. ## For OIDC Integrations: 1. As part of the registration process: - Provide a Post Logout Redirect URI 2. To initiate HarvardKey logout: 1. Call the well-known OIDC logout URI () and send the following as part of the logout call: - ID Token Hint (provided to app when session is initiated) - Post Logout Redirect URI (must match what is included in your registration)