Okta back channel initiated logout

We’ve successfully accomplished most of our development goals with the Okta integration. However, I’m having a hard time finding documentation on how to allow Okta to sign out of our application. We assume that if the user signs out of Okta, then they should no longer be able to access our application, but we do not know how to configure Okta to call our IDP logout URL when the logout is not initiated by our application.

So here is the scenario. A user is using Okta to login to multiple applications, one of which is ours. The user logs out of Okta through your web interface or some other SLO method, not our application. We would expect Okta to send our IDP a notification to log the user out of our application.

Is this a valid scenario that we need to address? If so, can anyone point me in the right direction to get some help on how to get this working?

I don’t think there’s any out of the box way for Okta to call logout endpoints for all integrated apps. You’d probably need to roll your own. Here’s the links to the various logout / revocation mechanisms (which you may already have read).

API Specs
Logout OpenID Connect & OAuth 2.0 API | Okta Developer
Revoke OpenID Connect & OAuth 2.0 API | Okta Developer
Close sessions Sessions | Okta Developer
Close current session Sessions | Okta Developer

Clear User Sessions Users | Okta Developer

Clear User Sessions gets rid of all cookies and tokens (nuclear option).

Blog articles

1 Like