We are currently implementing Single Sign-On for our web application.
Using the Authorization Code flow alongside the hub and spoke design (both being hosted by Okta).
The login flow works perfectly;
- User navigates to web application in browser
- redirected to Okta hub (where they must enter their email address as the username)
- redirected to Okta idP (where they must enter their corresponding password for the email address from step (2) )
- Authorization Code is retrieved
- Access Token is retrieved using Code
- User is then authenticated internally within our web application
The problem seems to be with logging out.
I have a logout function that logs a user out internally from the web application then also redirects to the Okta logout endpoint ‘/v1/logout’.
The issue that I’m seeing is when I attempt to login with User B, after logging out User A.
When I visit the web application, the authentication flow initiates as intended.
- User navigates to the web application in browser
- redirected to Okta hub (where User B enters their email address as a user-name)
- redirected to Okta spoke (where the idP automatically authenticates User B as User A?!? and the identity information for User A is returned)
Ultimately User B is logged into the web application as User A??
It seems that the idP session for User A is persisted and retrieved for any User.
How can I fix this? Is this a configuration issue?