Hello forum.
I have some problems with understanding/testing Single Logout with OKTA.
According to the section 3.7 of the SAML specs - If there are multiple participants (other applications) in a session besides your application, and one of the other participants sends a LogoutRequest to the identity platform (IP) (the session authority), then IP will send a LogoutRequest back to all the session participants except the participant who sent the initial LogoutRequest .
So, am I understanding this correctly? After I set up SLO for my application:
- If I log in to my application on two different browsers or computers using the same account via SAML,
- And then log out from one of the browsers or computers,
- The account on the other browser or computer will be logged out automatically?
After you setup SLO in your SAML apps, based on your setting Okta will send a POST or REDIRECT logout request to all the participating apps with/without session details based on your configuration. It is up to the apps to kill the sessions upon receiving the request (This step is not controlled by Okta).
Reference: Configure Single Logout | Okta Developer
Note: Only Okta session 1 is terminated. Okta Sessions 2 and 3 are still active despite Apps 2 and 3 no longer having a valid session in Browsers 2 and 3. It’s up to the apps to kill the sessions for that user.
1 Like
Thank you for response, but i asked another question in my post.
Let me repeat it here:
Am I understanding this correctly?
- After I set up SLO for my application through OKTA.
- If I log in to my application on two different browsers or computers using the same account via SAML,
- And then log out from one of the browsers or computers,
- The account on the other browser or computer will be logged out automatically.
Right?
I think I answered this already. Let me rephrase my answer to see if it helps,
- When one of the participating apps initiates logout, Okta will send outbound requests to the SLO endpoints of all the participating apps with an active session(even to another browser or device).
- But automatically logging out is the part which Okta will not do. The app has to be the responsible entity to log users out on the other browser(s)/device(s) when SLO request is received by them.
Ok. Your answer shows that we think alike.
But i see no “Okta will send outbound requests to the SLO endpoints of all the participating apps with an active session” actions.
I guess im missing something.
Do I need to enable “SLO frontend-channel” feature for SLO to work?
The steps you should do to configure this is,
- Under Settings > Features > enable Front-channel Single Logout
- For each SAML app you want to be participate in SLO, under Application instance > Single Logout > App logs out when and App initiates > enable the option and then enter all the details like URL, binding and session inclusion.
Thank you. I’ve done this.
Here is my config. Is it OK?
Looks like SLO is enabled and you have provided the right section where SLO has to be configured. This has to be done to all participating apps. Then you will start seeing system logs when SLO occurs.
2 Likes
Thanks you. I found the issue (its on my side) - i’ve opened sites in incognito mode window 
. That is why i received new session on every request.
