diff --git a/.env.test b/.env.test
index 4e7f78cd84..ed980aeb7e 100644
--- a/.env.test
+++ b/.env.test
@@ -1,6 +1,7 @@
 DFE_SIGN_IN_API_CLIENT_ID=teacherpayments
 DFE_SIGN_IN_API_SECRET=secret
 DFE_SIGN_IN_API_ENDPOINT=https://example.com
+DFE_SIGN_IN_ISSUER=https://issuer.example.com
 
 DQT_API_URL=https://teacher-qualifications-api.education.gov.uk/
 DQT_API_KEY=1a2b3c4d5e6f7g8h9i0
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index f0d51b5dbd..19b1b6b153 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -29,6 +29,21 @@ def failure
     end
   end
 
+  def sign_out
+    case current_journey_routing_name
+    when "further-education-payments-provider"
+      redirect_to(
+        claim_path(
+          journey: current_journey_routing_name,
+          slug: "sign-in"
+        ),
+        notice: "You've been signed out"
+      )
+    else
+      render file: Rails.root.join("public", "404.html"), status: :not_found, layout: false
+    end
+  end
+
   def onelogin
     core_identity_jwt = omniauth_hash.extra.raw_info[ONELOGIN_JWT_CORE_IDENTITY_HASH_KEY]
     return process_one_login_identity_verification_callback(core_identity_jwt) if core_identity_jwt
diff --git a/app/models/journeys/further_education_payments/provider.rb b/app/models/journeys/further_education_payments/provider.rb
index d6d79b4c10..ddb3df810f 100644
--- a/app/models/journeys/further_education_payments/provider.rb
+++ b/app/models/journeys/further_education_payments/provider.rb
@@ -27,6 +27,21 @@ def self.request_service_access_url(session)
           "users", session.answers.dfe_sign_in_uid
         ].join("/")
       end
+
+      def self.sign_out_url
+        dfe_sign_out_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_ISSUER"), "/session/end")
+
+        post_logout_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_REDIRECT_BASE_URL"), "/further-education-payments-provider/auth/sign-out")
+        client_id = DfeSignIn.configuration.client_id
+
+        params = {
+          post_logout_redirect_uri:,
+          client_id:
+        }
+
+        dfe_sign_out_redirect_uri.query = URI.encode_www_form(params)
+        dfe_sign_out_redirect_uri.to_s
+      end
     end
   end
 end
diff --git a/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb b/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb
index 5779c1faa0..febcdabad4 100644
--- a/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb
+++ b/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb
@@ -12,7 +12,9 @@
   that you have logged in using the correct one.
 </p>
 
-<p class="govuk-body govuk-!-margin-top-6">
+<%= govuk_button_link_to "Sign out", Journeys::FurtherEducationPayments::Provider.sign_out_url %>
+
+<p class="govuk-body">
   Email <%= govuk_mail_to("FE-Levellingup.PremiumPayments@education.gov.uk") %>
   if you have logged in with the correct organisation and need support.
 </p>
diff --git a/config/routes.rb b/config/routes.rb
index ebc26afad7..10d7c66cae 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -86,6 +86,7 @@ def matches?(request)
 
     scope constraints: {journey: "further-education-payments-provider"} do
       get "auth/callback", to: "omniauth_callbacks#callback"
+      get "auth/sign-out", to: "omniauth_callbacks#sign_out"
     end
 
     scope path: "/", constraints: {journey: Regexp.new(Journeys.all_routing_names.join("|"))} do
diff --git a/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb b/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb
index ff6ed7b41c..449b1ece24 100644
--- a/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb
+++ b/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb
@@ -128,6 +128,8 @@
     expect(page).to have_text(
       "The organisation you have used to log in to DfE Sign-in does not match the organisation in the claim."
     )
+
+    expect(page).to have_link("Sign out", href: Journeys::FurtherEducationPayments::Provider.sign_out_url)
   end
 
   scenario "provider visits claim with the wrong role" do
diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb
index e5731067e3..273c02f746 100644
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -1,6 +1,37 @@
 require "rails_helper"
 
 RSpec.describe "OmniauthCallbacksControllers", type: :request do
+  describe "#sign_out" do
+    before do
+      allow_any_instance_of(OmniauthCallbacksController).to receive(:current_journey_routing_name).and_return(journey)
+
+      get auth_sign_out_path(journey: "further-education-payments-provider")
+    end
+
+    context "further education payments provider journey" do
+      let(:journey) { Journeys::FurtherEducationPayments::Provider::ROUTING_NAME }
+
+      it "redirects to the FE sign-in page with a flash message" do
+        expect(response).to redirect_to(
+          claim_path(
+            journey: "further-education-payments-provider",
+            slug: "sign-in"
+          )
+        )
+
+        expect(flash[:notice]).to include("You've been signed out")
+      end
+    end
+
+    context "no journey returns a 404" do
+      let(:journey) { nil }
+
+      it "404 page" do
+        expect(response.body).to include("Page not found")
+      end
+    end
+  end
+
   describe "#callback" do
     def set_mock_auth(trn)
       OmniAuth.config.mock_auth[:default] = OmniAuth::AuthHash.new(