So I noticed an issue while I was trying to setup the IDP widget.(Just starting to implement okta.) I was doing it self hosted and a hacky way that I found online when I experienced this issue. I then confirmed that the same issue occurs with my actual okta login.
So I have a SAML IDP setup in okta with azure with our employee accounts. I have IDP discovery setup for okta for the accounts. I log into okta using account A. I get sent to azure and prompted to login so I do so and get logged into okta. I then click sign out in Okta. I go back to the login account and when prompted for the email I type in the email of account B. However I get redirected to azure which then logs me in as Account A because the session still existed in azure.
In our applications that currently use SAML when you click the logout button in the app we send a request to the IDP to log the person out. Then when you go back to the login Azure will prompt them for new credentials. I think the url that is used for this is called SLO.
I have been digging through okta for a day and I can’t seem to find a way to impliment this functionality. So that when someone logs out of okta and/or when an application using okta for auth kills the okta session to also have the person logged out of the IDP. It seems like a major usability security thing to type a username into the username box and then get logged in as a different user.
Anyone have any guesses solutions? I’m hoping I just overlooked a setting.