I am testing SAML2.0 app, and I have questions regarding the integration.
Embed Link
I am confused with embed link from General Tab. Using the link, I can login and get SAML Response from ACS url that I set ‘Single sign on URL’ on SAML Settings.
I am not sure if I can use the link instead of creating SAML AuthnRequest. Then I do not need to use 3rd party library. I would like to know the difference.
Single Logout
I want to log a user out from Okta SAML app when the user log out from our web application.
I set Single Logout URL(‘Advanced Settings’ on SAML Settings) and created a certificate and upload the public key to Okta, then send the Logout SAML request. Is this the correct way to logout?
Is there a simple way like embed link?
Single logout - you could do it that way if you want Okta to kill it’s session and your app session. Another approach would be to kill your app session and redirect user to https://yourdomain.okta.com/login/signout?fromURI=yourappurl. As long as your app url is whitelisted under Security -> API -> Trusted Origins, this would kill the Okta session and take the user back to a landing page on your app.
Embed link
Okay, I will use Identity Provider Single Sign-On URL (https://{mydomain}…/sso/saml) instead of Embed link.
Single logout
When I send SLO request, it looks like the main(I am not sure if that is correct term) Okta session is killed, which means the user cannot even access user’s home page.
When I redirect user to https://yourdomain.okta.com/login/signout?fromURI=yourappurl, does it only kills app session? I still can access the user’s home page. I think the main Okta session is live. Next time, I try to login to the app, it does not ask input username and password.
If my assumption is correct, I am not sure how the sign out link detect app which be killed. For example, in case multiple apps use the same domain.
When you hit https://yourdomain.okta.com/login/signout?fromURI=yourappurl via browser, Okta will clear the Okta session cookie and kill Okta session (hope you updated the domain url to match your Okta domain). You will still need to clear your app session in your app. The process we follow is, when user clicks on logout in our app, we kill the app session by calling app’s logout action and then redirect user to the Okta sign out URL which will kill Okta session and take user back to the app’s non-logged in homepage (based on the fromURI). Currently, on Okta, there is no way to trigger a logout of all signed in apps.
I notice that app link on user dashboard is the same with the embed link. (App link on dashboard includes ?fromHome=true)
In previous answer, you said that Single Sign-on URL is preferable way. I am wondering if below case is also valid scenario.
I logout using SLO ( Single Logout ) URL, but When I login back, it still does not ask user credentials . how to do for this issues. Please give me suggestion. thanks
