CORS and Non-SLO logout with SAML

Hi,

I am using Java 11, Spring Security 5.5.0, and OpenSAML 4.4.1 to implement a SAML framework on the server side. I’ve gone this route to hopefully support more than one type of IdP based on customer preference. At the moment I am not using any Okta library or Javascript components to build the current implemetation.

In my development testing, I do not have any trouble successfully completing the login sequence with an Okta developer account or a few other IdPs. What I am having issue with is the logout. My intent is to perform a application session logout for the user, and not the full SLO, so that if the user is logged into other applications by way of Okta authentication those will still work.

I have found a couple of short discussions on using this API call:

https://{my okta domain}/login/signout?fromURI={application’s landing url}

When used as a URL standalone, this works fine in a browser tab after logging into my application via Okta. However, when I programmatically redirect to this URL within the application, I am getting a CORS error:

Access to XMLHttpRequest at ‘https://{my okta domain}/login/signout?fromURI=https%3A%2F%2Flocalhost%3A8081%2Fadmin%2F’ from origin ‘https://localhost:8081’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I have added my base URL (https://localhost:8081) as a trusted origin with the CORS and Redirect options selected with no change in the result. I also added the javascript test (e.g. Test your configuration | Okta Developer) in my client and it outputs “Invalid URL or Cross-Origin Request Blocked…” and to add my URL as a trusted origin; which I have already done.

From that message I am assuming that this Okta server endpoint is not configured for CORS. At this point I am out of ideas and could use some suggestions on how I should perform a non-SLO logout. Or is it even possible :slightly_smiling_face:

Thanks,
James

This endpoint does not support CORS, you must redirect to it. Maybe you want to look into DELETE /api/v1/sessions/me, which does support CORS and can be used to end a user’s session in Okta.

Hi @andrea

Thank you for the suggestion! I’ve implemented the session API call on the client side and my end-to-end SAML flow is complete.

Any thoughts on why the Okta session ID cannot be included in the successful SAML response as an attribute? This would simplify things for me where I could invoke that API call from the server side. There is no way to get the Okta credential cookies in javascript since it is from the Okta domain.

James

I do not and I don’t work with SAML too much, but I do wonder if the SAML Inline Hook would work for this.

If you take a look at the sample payload for this hook, you’ll see that the session id will be sent to the hook endpoint you use and you should be able to add it to the SAML assertion.I’ve done the same thing using our Token Inline Hook for an OIDC application, so I imagine it will work here too.