Hello,
I’m trying to confirm whether Universal Logout is feasible in our architecture and would appreciate pointers to documentation.
Our setup: customer IdPs federate into Okta via SAML 2.0, and Okta acts as the intermediary IdP to our application.
What we’ve ruled out: front-channel or back-channel IdP-initiated SAML SLO from the customer’s IdP into Okta, since Okta does not appear to expose a SingleLogoutService binding in the SP metadata it generates for inbound SAML federation. Please correct me if this is wrong or has changed.
What we’re hoping to confirm: whether we can support Universal Logout as a receiver so that, when a customer revokes a session or signs out at their upstream IdP and Okta’s session is consequently terminated, our application is notified and can revoke its session in turn.
Any links to current documentation would be very helpful.
Thanks!