Sign Users Out of ASP.NET Application When They Logout From Okta Dashboard

We have an ASP.NET MVC application which uses Okta for user authentication. When an unauthenticated user browsers to our app, they are directed to Okta to login, and then they are redirected back to the application. When they click “Logout” within the application, they are signed out of the application and signed out of Okta.

The issue is when we click “Logout” from the Okta dashboard. When a user clicks “Logout” from the Okta dashboard, they are signed out of Okta, but they are not signed out of the application. When the user logs in with different credentials in Okta and open the application, HttpContext.User.Identity still contains the previous user information.

Is it possible for when a user clicks Logout within the Okta dashboard, to also log them out of the ASP.NET application? What’s the best approach for this scenario?

From what I’ve read before, single log out only works when initiated by the service provider. When you click on the Logout button in the Okta dashboard, it only clears your Okta session but not your application session. A possible workaround is to modify the “Sign-out page URL” under Settings -> Customization in the admin dashboard to point to the logout path of your application but this might only work if you only have to support one application url.

@warren - Thanks for the suggestion but unfortunately it won’t work for my use case. This seems like a big oversight on the Okta implementation, there should be a way for your applications to receive a sign-out callback from Okta.

Hey @thiag0, can you clarify on what your use case is? Some developers would argue for the opposite and they don’t want the user to be logged out of their application when they logout in Okta. I believe this ultimately depends on your implementation.

Hi @thiag0

Okta does not support this option for closing sessions in all service provider applications when the user logs out from Okta.
The best solution in this case would be to implement a method in the view of your application which would check if the user is logged in to Okta using the CORS call available here and, if the user is not logged in to Okta, then close the session in the application.