How to retrieve the Okta Session ID via SAML (for MVC 5 OWIN App)?

Hi Fellows,

I’m pretty new to the Okta topics, so I’d like to you to bear with me if I’m asking question which might seem elementary… But for those questions I’ve already searched the internet space and have found not enough information… So please bear with me…

Now to my actual question:
I’m trying to retrieve the Okta Session ID from the backend of a MVC 5 OWIN application (ASP.NET 5). Login operation through the Saml2/Acs endpoint went Okay. The SAMLResponse contains information about the so-called Session Index, but this is not the Session ID which I need.
So why do I need the Session ID? I need it in order to make the two calls “Extend Session” and “Clear Session”, as the application workflow does not allow the standard “Single Logout” path.

I’ve found this SO question, where the only possible way to get the Session ID is through Okta Sessions API (from the frontend).
Is that currently also true? No other way exists to retrieve that Session ID (and especially from the backend)?

If you have questions or need more information regarding the topic, please write here.
Many thanks and kind regards,
Rama.

I think you may do a trick and make your frontend to ask for a session through API and then share it with your backend, for you to extend/terminate - https://developer.okta.com/docs/reference/api/sessions/#get-current-session

Hi phi1ipp,

thank you for your suggestion, however I was already aware of the suggested way - look at the linked SO post.
My question is if there is another way, especially from the application’s server side, to retrieve the ID of the current authenticated session…

Well, the only one thing I can help you with is a way to terminate Okta’s session w/o knowing its ID. You can redirect a user to https://your_tenant.okta.com/login/signout?fromURI=your_redirect_here and their Okta’s session will be terminated.

As for extension, I personally would stick to some JS timer activity on a client page, for them to hit Okta on their own to extend their session

Thanks phi1ipp for this idea - in generally it seems to function, at least to some extent…

The signout endpoint does indeed terminates the session, but it seems it does not redirect to the redirect URI specified in fromUri… Instead it shows the login endpoint.

Do you know how to enforce Okta to redirect to an URI specified by the caller (me)?

Make sure, this redirect URI is listed as a trusted one in your tenant. Also, my bad, it’s fromURI (all caps at the end)

Thanks phi1ipp, that functions now properly - I was not aware, that the fromURI query parameter should be exactly as it has been put in the trusted origins list (including the trailing slash for example, if such have been specified in the trusted origin entry).
I do have one (hopefully) final question - how does Okta recognize, that on the signout-endpoint only a specific session should be deleted? Or does calling that endpoint logout all currently logged-in sessions?

Hi phi1ipp,

I’m experiencing strange behavior - if I call the signout-endpoint in the browser, then the session gets terminated properly. If I call that same signout-endpoint from the backend, it returns the correct page content (of the redirected page), but otherwise no session termination occurs…
I assume, there is a request header value, which the browser sets (as HttpOnly), which I’m not able to set at the backend side…
Any thoughts on this?

Many thanks,
rama.

it works with a cookie, which user agent is carrying while going to Okta, hence Okta knows what session it’s working with

see my previous answer, it has to have an okta session cookie, that’s why backend is not supposed to work