Unable to SAML2 log out from Okta

Questions SAML
1

Hello :slight_smile:

I’m trying to enable logout on my Okta application. The authentication protocol is SAML2 and the app used Java Spring and runs on localhost:8080.

The current behavior is the following : when accessing localhost:8080/api/logout (the logout address), the connected user is very briefly redirected to an Okta loading page then back to where it started (the app dashboard), which means the disconnection didn’t happen. From what I understand, it suggests that logout works on the Spring side, just not on the Okta side. Please correct me if I’m wrong.

I’ve looked up several Okta help pages among which Sign users out | Okta Developer and asked for AI agents but unfortunately I can’t get to get it work.

Here is the Spring Security configuration file:

package com.cohortis.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;


@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    @Profile("prod")
    public InMemoryRelyingPartyRegistrationRepository prodRelyingPartyRegistrationRepository() {
        RelyingPartyRegistration registration = RelyingPartyRegistrations
                .fromMetadataLocation("classpath:metadata/metadata-idp.xml")
                .registrationId("okta")
                .entityId("{baseUrl}/saml2/service-provider-metadata/{registrationId}")
                .build();
        return new InMemoryRelyingPartyRegistrationRepository(registration);
    }

    @Bean
    @Profile({"dev", "test"})
    public InMemoryRelyingPartyRegistrationRepository devRelyingPartyRegistrationRepository() {
        RelyingPartyRegistration registration = RelyingPartyRegistrations
                .fromMetadataLocation("classpath:metadata/metadata-idp-dev.xml")
                .registrationId("okta")
                .entityId("{baseUrl}/saml2/service-provider-metadata/{registrationId}")
                .build();
        return new InMemoryRelyingPartyRegistrationRepository(registration);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/saml2/**", "/error", "/api/userIsConnected").permitAll()
                        .anyRequest().authenticated())
                .saml2Login(login -> login
                        .loginPage("/saml2/authenticate?registrationId=okta")
                        .defaultSuccessUrl("/api/loginSuccessful", true))
                .saml2Logout(withDefaults())
                .logout(logout -> logout
                        .logoutUrl("/api/logout")
                        .logoutSuccessUrl("/")
                        .invalidateHttpSession(true)
                        .deleteCookies("JSESSIONID"));
        return http.build();
    }

}

And here’s my Okta app configuration for logging out:

Screenshot from 2026-02-20 17-08-41
Screenshot from 2026-02-20 17-08-41733×285 30.1 KB

If you have any idea of how to fix this, please let me know. And sorry for being a noob…

Thank you so much for your help :folded_hands:

2

Can you check the browsers network tab during logout and see what is sent to Okta?
In addition after logout try to access your Okta Org and see if the session is still valid or you need to re-authenticate.

I have the same setup,

.logout((logout) -> logout.logoutUrl("/logout"))
            .saml2Logout(withDefaults());

The browsers network tab should show a POST to /app/{app_name}/e…/slo/saml where the SAML Request is of type SAML2 LogoutRequest.

If you don’t see this then check yours Apps SAML metadata in Okta and verify the bindings for SingleLogoutService are present.

Spring Security won’t redirect to the IdP if these bindings aren’t present, but if you see the redirect in the browser I assume they are.

3

Thank you so much for your response.

Unfortunately, I’m no longer affected to the project I was working on at the time.

I’m sorry to have wasted your time…

4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.