Federated logout of IDP

I am using the Org2Org app to configure a hub and spoke scenario to allow SSO into a parent company Okta ORG, while being able to configure the hub ORG independently for our company. The spoke ORG is configured as an IDP in the hub ORG, and the application in question has routing rules to direct all login attempts to the spoke ORG.

For sign-on, this is working well. When a login request comes into our hub, the routing rules direct them to the spoke IDP to enter credentials and drop a cookie. Logging into a second app (or even an app targeting the parent company org directly) works perfectly with SSO due to the cookie placed in the parent ORG domain.

The issue I am facing is when attempting to sign out of our application. I currently clear the local session in the app, and then redirect to the hub org to logout. This removes the cookie in the hub domain, but does not log the user out of the spoke (parent company ORG). If the user navigates back to the application, they are immediately logged in because the session still exists on the parent IDP (spoke ORG). This essentially makes it impossible to log out of our app, unless the user navigates to the parent ORG and logs out manually. But that would require the app to have knowledge of the parent IDP to redirect the user there.

Both Identity Server and Auth0 handle this case by automatically redirecting to the parent IDP logout endpoint if the current session was initiated by an IDP (Auth0 has an optional ‘Federated’ parameter that can be supplied in the logout request). Is there anything like that in OKTA, or are there any other suggestions on how to completely log the user out of the entire session hierarchy?

To be clear, I’m not worried about the user seamlessly being logged out of all applications. I’m just need them to be able to log out of the parent IDP, so the app doesn’t immediately log back in.


Did you ever find a solution. We have the same problem.