SAML SSO Logout

I posted this in the community forum. I am trying here to see if anyone else can help.

I hate to do this, but I am posting this here because I opened a ticket, but was told I might need to engage professional services. I can’t understand why this process isn’t fully documented and I am hoping someone can help me.

This is a CUSTOM ASP.NET application. We are using SAML for it. My application is the SP and Okta is the IdP. How do I logout of Okta?

I have not been able to find any true documentation on configuring SLO for custom ASP.NET applications that use SAML. I am trying to develop the signed request for logout, but can’t seem to find where this is documented. Everything I have read is in relation to standard enterprise applications, but nothing for something that I have written personally.

My application is custom and using ASP.NET to sign the SAML request for login.

For example, what certificate do I use for ‘Signature Certificate’? I assume is should be a self-signed one which I created using openssl. Is this the correct assumption?

When using openssl, I end up with a .crt, and .pem file. Which is used to sign the request? Is this something that no one in the world has done because I can’t seem to find any documentation or samples anywhere. I can’t believe I have to pay someone for this information.

I found this response to a question someone had : https://github.com/Sustainsys/Saml2/issues/866*issuecomment-409551287

But what is: signQueryStr method and the idpSLOUrl variable?

After searching from what is seems to be the ENTIRE internet, I came across this. I found out that this logout seemed to work just fine. https://{domain}.okta.org/login/signout?fromURI=. But after further review, I keep ending back at the login page and not the application page I am passing in fromURI. It brings up the login page and when the user logs in, they end up at the Okta homepage. That is not ideal. They should end up at the application (non-logged in page).

Where is the documentation for SAML SLO officially? Is there documentation? Has someone done this?

It looks as if you’re extremely close to having it figured out.
Check out this guide https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/ and https://developer.okta.com/docs/guides/saml-application-setup/config-saml-in-app/
I believe it will answer your questions. There’s quite a few links on the left of the page that should help as well. Let me know if that works out or if I can provide further insight.