Problems with SAML IDP Discovery - Security Issue Not Logging Out

So I noticed an issue while I was trying to setup the IDP widget.(Just starting to implement okta.) I was doing it self hosted and a hacky way that I found online when I experienced this issue. I then confirmed that the same issue occurs with my actual okta login.

So I have a SAML IDP setup in okta with azure with our employee accounts. I have IDP discovery setup for okta for the accounts. I log into okta using account A. I get sent to azure and prompted to login so I do so and get logged into okta. I then click sign out in Okta. I go back to the login account and when prompted for the email I type in the email of account B. However I get redirected to azure which then logs me in as Account A because the session still existed in azure.

In our applications that currently use SAML when you click the logout button in the app we send a request to the IDP to log the person out. Then when you go back to the login Azure will prompt them for new credentials. I think the url that is used for this is called SLO.

I have been digging through okta for a day and I can’t seem to find a way to impliment this functionality. So that when someone logs out of okta and/or when an application using okta for auth kills the okta session to also have the person logged out of the IDP. It seems like a major usability security thing to type a username into the username box and then get logged in as a different user.

Anyone have any guesses solutions? I’m hoping I just overlooked a setting.

We do not support the type of single logout you describe and its not something commonly done from what I understand. If the user logged in though, say Google or a SAML IdP, to create their Okta session, ending their Okta session (via an App or from the Okta dashboard directly) will NOT affect the session the user has with their IdP, but if you wanted to support this, you can look into closing this session from your application instead of via Okta. Further, most end-users would not expect (and would likely be frustrated) by an application logging them out from their IdP.