SAML integration - Embed link & Logout

Hello,

I am testing SAML2.0 app, and I have questions regarding the integration.

  • Embed Link
    I am confused with embed link from General Tab. Using the link, I can login and get SAML Response from ACS url that I set ‘Single sign on URL’ on SAML Settings.
    I am not sure if I can use the link instead of creating SAML AuthnRequest. Then I do not need to use 3rd party library. I would like to know the difference.

  • Single Logout
    I want to log a user out from Okta SAML app when the user log out from our web application.
    I set Single Logout URL(‘Advanced Settings’ on SAML Settings) and created a certificate and upload the public key to Okta, then send the Logout SAML request. Is this the correct way to logout?
    Is there a simple way like embed link?

Regards,
Jaehun

Embed link - For SAML, it’s preferable to use the Single Sign-on URL as defined under SAML setup settings (refer to image below).

Single logout - you could do it that way if you want Okta to kill it’s session and your app session. Another approach would be to kill your app session and redirect user to https://yourdomain.okta.com/login/signout?fromURI=yourappurl. As long as your app url is whitelisted under Security -> API -> Trusted Origins, this would kill the Okta session and take the user back to a landing page on your app.

Thank you for your answer!

I have some questions related to your answer.

Embed link
Okay, I will use Identity Provider Single Sign-On URL (https://{mydomain}…/sso/saml) instead of Embed link.

Single logout
When I send SLO request, it looks like the main(I am not sure if that is correct term) Okta session is killed, which means the user cannot even access user’s home page.

When I redirect user to https://yourdomain.okta.com/login/signout?fromURI=yourappurl, does it only kills app session? I still can access the user’s home page. I think the main Okta session is live. Next time, I try to login to the app, it does not ask input username and password.

If my assumption is correct, I am not sure how the sign out link detect app which be killed. For example, in case multiple apps use the same domain.

Please correct me if I am wrong.

When you hit https://yourdomain.okta.com/login/signout?fromURI=yourappurl via browser, Okta will clear the Okta session cookie and kill Okta session (hope you updated the domain url to match your Okta domain). You will still need to clear your app session in your app. The process we follow is, when user clicks on logout in our app, we kill the app session by calling app’s logout action and then redirect user to the Okta sign out URL which will kill Okta session and take user back to the app’s non-logged in homepage (based on the fromURI). Currently, on Okta, there is no way to trigger a logout of all signed in apps.

Thank you gsvivek
It works this morning! I think it is better to use sign out page for our case.

I would like to ask a question. Could you explain about the ‘embed link’?

I notice that app link on user dashboard is the same with the embed link. (App link on dashboard includes ?fromHome=true)
In previous answer, you said that Single Sign-on URL is preferable way. I am wondering if below case is also valid scenario.

{Embed Link}?RelayState={CompanyId}

This is just personal curiosity.

To be honest, I haven’t seen much of a difference but you can probably check this answer: https://support.okta.com/help/s/question/0D50Z00008OL2n5/what-is-the-difference-embed-link-and-sso-url