website/docs: Update docs for single logout

website/docs/add-secure-apps/flows-stages/stages/user_logout.md

@@ -2,4 +2,20 @@
 title: User Logout stage
 ---
 
-Opposite stage of [User Login Stages](./user_login/index.md). It removes the user from the current session.
+The User Logout stage terminates the user's session in authentik and, if configured, triggers [Single Logout](../../providers/single-logout/index.md) in [SAML](../../providers/saml/saml_single_logout.md) and [OIDC](../../providers/oauth2/fontchannel_and_backchannel_logout.mdx) providers.
+
+## Logout flow injection
+
+authentik dynamically injects logout stages into the user's current logout flow when provider sessions configured for Single Logout are detected:
+
+1. The `flow_pre_user_logout` signal is triggered before the user is logged out
+2. authentik queries for active provider sessions matching the user's authenticated session:
+    - **SAML providers**: Queries active SAML sessions for providers with an SLS URL and logout method configured
+    - **OIDC providers**: Queries for providers with front-channel or back-channel logout enabled
+3. For each logout method with active sessions, the appropriate logout stage is injected:
+    - **iframe logout stage** - Injected at index 1 (immediately after the logout stage) for front-channel iframe logout
+    - **Native logout stage** - Injected at index 2 (after iframe logout, if present) for front-channel native logout
+    - **Back-channel logout** - Executed server-side without injecting additional stages
+4. The user progresses through these injected stages before logout completes
+
+This approach ensures that single logout happens automatically without requiring explicit flow configuration.

website/docs/add-secure-apps/providers/oauth2/fontchannel_and_backchannel_logout.mdx

@@ -0,0 +1,117 @@
+---
+title: OAuth2/OpenID Connect front-channel and back-channel logout
+description: Configure front-channel and back-channel logout for OAuth2/OpenID Connect providers
+authentik_version: "2025.8.0"
+authentik_preview: true
+---
+
+## Overview
+
+OAuth2/OpenID logout is a security feature defined in the OpenID Connect specification. It allows an OpenID Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session.
+
+For more information about single logout across all providers, see the [Single Logout (SLO) Overview](../single-logout/index.md).
+
+:::warning
+Your OAuth application (Relying Party) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified.
+:::
+
+## Requirements
+
+Your OAuth application (Relying Party) must:
+
+    - **HTTPS**: Use HTTPS in production.
+    - **Accessible**: Be reachable from authentik.
+    - **Logout endpoint**: Have a defined endpoint to handle OP logout requests (front-channel, back-channel, or both).
+
+## Configuration
+
+### Set up single logout
+
+1. In the Admin interface, navigate to **Applications** > **Providers**
+2. Edit or create an OAuth2 provider
+3. In the **Logout URI** field, enter the endpoint for logout (if supported by your RP)
+4. Select the **Logout method** to define whether the RP supports **Front-channel logout** or **Back-channel logout** at that URI
+5. Click **Finish** to save your changes
+
+:::info
+Back-channel logout is the only way to ensure that users are logged out of the provider when their session is administratively terminated (e.g., when a user is deactivated or their session is deleted).
+:::
+
+### Logout URI format
+
+The **Logout URI** should be a single URL provided by your Relying Party application, for example:
+
+#### Back-channel
+
+```
+https://app.example.com/oauth/backchannel-logout
+https://api.service.com/logout/backchannel
+https://client.example.org/backchannel-logout
+```
+
+#### Front-channel
+
+```
+https://app.example.com/oauth/logout
+https://api.service.com/logout
+```
+
+## How OpenID Connect single logout works
+
+### Back-channel logout
+
+With back-channel logout, authentik sends logout requests directly from the server to the Relying Party's back-channel logout endpoint using HTTP POST. The logout request includes a signed JWT logout token that contains:
+
+    - `iss` (issuer): The authentik issuer URL
+    - `sub` (subject): The user's unique identifier
+    - `aud` (audience): The client ID
+    - `iat` (issued at): Token creation timestamp
+    - `jti` (JWT ID): Unique token identifier
+    - `events`: Logout event claim
+    - `sid` (session ID): The session identifier (if available)
+
+Example back-channel logout request:
+
+```http
+POST /backchannel-logout HTTP/1.1
+Host: client.example.org
+Content-Type: application/x-www-form-urlencoded
+
+logout_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
+```
+
+Back-channel logout is triggered when:
+
+    - A user logs out through a logout flow
+    - An administrator deletes a user's session
+    - A user account is deactivated
+    - A session expires or is revoked
+
+### Front-channel logout
+
+With front-channel logout, authentik injects an iframe logout stage into the logout flow. This stage loads the Relying Party's front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters:
+
+    - `iss`: The authentik issuer URL
+    - `sid`: The session identifier
+
+Example front-channel logout iframe:
+
+```html
+<iframe
+    src="https://app.example.com/oauth/logout?iss=https://authentik.company&sid=session_id"
+></iframe>
+```
+
+The RP processes the logout request and terminates the user's session. After all iframes complete their requests, the user continues through the authentik logout flow.
+
+:::info
+Front-channel logout only works for user-initiated logouts through a logout flow. It cannot be used for administrative session termination since it requires an active browser session.
+:::
+
+## Resources
+
+- [Single Logout (SLO) Overview](../single-logout/index.md)
+- [User Logout Stage](../../flows-stages/stages/user_logout.md)
+- [OAuth2 Provider Configuration](./index.mdx)
+- [OpenID Connect Back-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-backchannel-1_0.html)
+- [OpenID Connect Front-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-frontchannel-1_0.html)

website/docs/add-secure-apps/providers/oauth2/index.mdx

@@ -74,7 +74,7 @@ For advanced use cases, an authentik admin can use regular expressions (regex) i
 
 Using back-channel logout (a server-to-server notification mechanism) allows an identity provider to notify connected OAuth2/OpenID clients whenever a user's session is terminated.
 
-For more information, see our [OAuth2/OpenID Connect back-channel logout](./backchannel-logout.mdx) documentation.
+For more information, see our [OAuth2/OpenID Connect front-channel and back-channel logout](./fontchannel_and_backchannel_logout.mdx) documentation.
 
 ## OAuth 2.0 flows and grant types
 

website/docs/add-secure-apps/providers/saml/saml_single_logout.md

@@ -0,0 +1,76 @@
+---
+title: SAML Single Logout
+---
+
+[Single logout (SLO)](../single-logout/index.md) allows you to configure authentik to log out a user from all supported providers simultaneously when signing out of authentik. For SAML providers, this requires your service provider to support Single Logout via a Single Logout Service URL. Check with your provider to see if they support Single Logout, as not all providers do.
+
+## Configure your SAML provider
+
+To enable single logout, add a **Single Logout Service URL** to your SAML provider. The URL is the service provider’s endpoint to which authentik sends logout requests.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface
+2. Navigate to **Applications** > **Providers**
+3. Click the edit icon of the SAML provider that you want to configure for SLO
+4. Set the **SLS URL** field to your service provider's logout endpoint
+5. Select the appropriate **SLS Binding**:
+    - **Redirect** - Uses HTTP redirects to send logout requests to the provider (front-channel only)
+    - **POST** - Supports both front-channel and back-channel logout methods
+6. Select the appropriate **Logout Method**:
+    - **Front-channel iframe** - Performs parallel logout requests using hidden iframes. Supports both Redirect and POST bindings
+    - **Front-channel native** - Uses the active browser tab to chain redirects and POST requests for sequential logout. Supports both Redirect and POST bindings
+    - **Back-channel** - Performs server-to-server POST requests to log out the user. Requires POST SLS binding. Users are logged out even when their session is administratively terminated
+7. (Optional) Enable **Sign Logout Request** to cryptographically sign SAML logout requests sent to the service provider
+8. Click **Finish**
+
+:::info
+Back-channel logout ensures users are logged out even when their session is terminated administratively (e.g., when a user is deactivated or their session is deleted). This requires POST SLS binding.
+:::
+
+## How SAML Single Logout Works
+
+When a user logs out of authentik through a logout flow, authentik initiates the single logout process for all SAML providers configured with an SLS URL and logout method.
+
+### Front-channel iframe logout
+
+With front-channel iframe logout, authentik injects an iframe logout stage into the logout flow. This stage loads all provider logout URLs simultaneously in hidden iframes within the browser, allowing parallel logout across multiple providers. After all iframes complete their requests, the user continues through the authentik logout flow.
+
+### Front-channel native logout
+
+With front-channel native logout, authentik chains logout requests sequentially using the active browser tab. For POST bindings, the browser automatically submits forms to each provider. For Redirect bindings, the browser follows redirect URLs. Each provider returns the user to authentik who redirects to the next provider. After all providers have been visited, the user completes the authentik logout flow.
+
+### Back-channel logout
+
+With back-channel logout, authentik sends SAML logout requests directly from the server to each provider's SLS URL using HTTP POST. This happens asynchronously and does not require browser interaction. Back-channel logout is also triggered automatically when:
+
+    - A user's session is administratively deleted.
+    - A user account is deactivated.
+
+:::info
+Back-channel logout requires POST SLS binding.
+:::
+
+## Binding Comparison
+
+| Feature              | Redirect Binding      | POST Binding             |
+| -------------------- | --------------------- | ------------------------ |
+| Front-channel iframe | ✅ Supported          | ✅ Supported             |
+| Front-channel native | ✅ Supported          | ✅ Supported             |
+| Back-channel         | ❌ Not supported      | ✅ Supported             |
+| Request sent via     | URL query parameters  | HTTP POST body           |
+| Maximum data size    | Limited by URL length | Large requests supported |
+
+## SAML session tracking
+
+authentik tracks SAML sessions for each provider to support single logout. When a user successfully authenticates to a SAML provider, authentik creates a `SAMLSession` record containing:
+
+    - The SAML `SessionIndex`
+    - The `NameID` and `NameID format` used for the session
+    - A link to the user's authenticated session
+
+These session records are used to generate proper SAML logout requests with the correct `SessionIndex` and `NameID` values that the service provider expects.
+
+## Resources
+
+- [Single Logout (SLO) Overview](../single-logout/index.md)
+- [User Logout Stage](../../flows-stages/stages/user_logout.md)
+- [SAML Profiles 2.0 Specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)