Testing/Understanding SLO with OKTA

nik.tik · August 4, 2025, 10:38am

Hello forum.
I have some problems with understanding/testing Single Logout with OKTA.

According to the section 3.7 of the SAML specs - If there are multiple participants (other applications) in a session besides your application, and one of the other participants sends a LogoutRequest to the identity platform (IP) (the session authority), then IP will send a LogoutRequest back to all the session participants except the participant who sent the initial LogoutRequest .

So, am I understanding this correctly? After I set up SLO for my application:

If I log in to my application on two different browsers or computers using the same account via SAML,
And then log out from one of the browsers or computers,
The account on the other browser or computer will be logged out automatically?

ramgan · August 4, 2025, 2:16pm

After you setup SLO in your SAML apps, based on your setting Okta will send a POST or REDIRECT logout request to all the participating apps with/without session details based on your configuration. It is up to the apps to kill the sessions upon receiving the request (This step is not controlled by Okta).

Reference: Configure Single Logout | Okta Developer

Note: Only Okta session 1 is terminated. Okta Sessions 2 and 3 are still active despite Apps 2 and 3 no longer having a valid session in Browsers 2 and 3. It’s up to the apps to kill the sessions for that user.

nik.tik · August 4, 2025, 2:47pm

Thank you for response, but i asked another question in my post.
Let me repeat it here:

Am I understanding this correctly?

After I set up SLO for my application through OKTA.
If I log in to my application on two different browsers or computers using the same account via SAML,
And then log out from one of the browsers or computers,
The account on the other browser or computer will be logged out automatically.

Right?

ramgan · August 4, 2025, 3:55pm

I think I answered this already. Let me rephrase my answer to see if it helps,

When one of the participating apps initiates logout, Okta will send outbound requests to the SLO endpoints of all the participating apps with an active session(even to another browser or device).
But automatically logging out is the part which Okta will not do. The app has to be the responsible entity to log users out on the other browser(s)/device(s) when SLO request is received by them.

nik.tik · August 4, 2025, 4:10pm

Ok. Your answer shows that we think alike.

But i see no “Okta will send outbound requests to the SLO endpoints of all the participating apps with an active session” actions.

I guess im missing something.

Do I need to enable “SLO frontend-channel” feature for SLO to work?

ramgan · August 4, 2025, 4:46pm

The steps you should do to configure this is,

Under Settings > Features > enable Front-channel Single Logout
For each SAML app you want to be participate in SLO, under Application instance > Single Logout > App logs out when and App initiates > enable the option and then enter all the details like URL, binding and session inclusion.

nik.tik · August 5, 2025, 8:54am

Thank you. I’ve done this.
Here is my config. Is it OK?

ramgan · August 5, 2025, 1:44pm

Looks like SLO is enabled and you have provided the right section where SLO has to be configured. This has to be done to all participating apps. Then you will start seeing system logs when SLO occurs.

nik.tik · August 21, 2025, 9:39am

Thanks you. I found the issue (its on my side) - i’ve opened sites in incognito mode window . That is why i received new session on every request.

nik.tik · September 8, 2025, 11:38am

Hi, i must return to this thread. In your quotes above you mentioned that “(even to another browser or device)”.

The issue is - we dont see such behavior. We see an SLO request from IdP only for apps oppened in the same window.

What are we missing?

ramgan · September 12, 2025, 1:11pm

Do you see calls to SLO endpoints of the participating apps in the window where logout is performed?

If yes, then the client app has to implement a way to end session in different browsers/devices based on the identifier like sid being sent during this call.

If not, may be the sessions in other browsers might not be considered active or potential misconfiguration. If you are testing against SPA without a server component, there might be no straight forward way to communicate the logout event from a different device/browser.

nik.tik · September 16, 2025, 2:06pm

This is the part that we need: We need users who are logged in on multiple devices or browsers with the same account to be logged out everywhere after logging out from our application.

Currently, it only works if all logins occur in the same browser. By ‘it works,’ I mean we see an incoming logout request from Okta.

What should we do to ensure such incoming requests are triggered for other devices and browsers?

ramgan · September 18, 2025, 2:14pm

I am still trying figure out where the gap is.

Okta does not make outbound calls to devices/clients during this logout flow. The calls are made to SLO endpoint configured in your app settings.

Lets say App A and App B has active sessions.

App A initiates logout by redirecting to end session endpoint
In the Okta logout screen, Okta calls appb.com/slo endpoint (this is your SLO endpoint configured in App B) inside an iframe
App B needs to communicate this to the client devices

For your current scenario, you can verify by looking at network logs when you perform logout and see if outbound calls are made to SLO endpoints of participating apps with active sessions.

nik.tik · September 19, 2025, 10:37am

By “network logs” what are you referring to? Usual browser DevTools or some Okta tool?

Could you please provide some screen shots, so I could understand to what “Okta logout screen” you are referring to.

ramgan · October 3, 2025, 2:25pm

For your first question, yes I am referring to browser logs.

For rest of the questions, please create a support case so that a dedicated support engineer can work with you and move towards a resolution.

nik.tik · October 8, 2025, 9:22am

Ok, lets make a step back and i rephrase my initial question:

After I set up SLO for my 2 applications on OKTA side
After I implement SLO logic in both of my application
After SLO feature was successfully tested in case for **one browser (**both apps were logged in in separate tabs of the same window )
Will OKTA SLO feature work If I log in via SAML to my applications on two different browsers or computers using the same account?

I’ve tested that (two different browsers) and that didnt work.

What am i missing?

ramgan · October 8, 2025, 4:26pm

You are correct. I’ve re-tested this on different devices and confirmed with the engineering team that the feature is designed to work only for applications within the same browser session.

My apologies for the incorrect information in my previous post.

To prevent future confusion, I have already reached out to the appropriate internal teams to have our official documentation updated to make this behavior clear.

nik.tik · October 10, 2025, 9:17am

Huge thanks to you!!!

Do you (or engineering team) have a solution for multiple browsers/devices?

system · November 9, 2025, 9:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Okta SLO clarification SAML slo	4	52	November 26, 2025
Signout url is not working SAML	10	6979	April 15, 2020
SLO doesn't log out user Questions	3	3117	April 21, 2021
SSO between SAML App and OAuth 2 , OIDC App Questions	4	3252	October 19, 2022
SLO behavior for single Okta application being used in multiple SPs OAuth/OIDC slo	1	11	November 9, 2025

Testing/Understanding SLO with OKTA

Related topics