Universal Logout feasibility with Okta as intermediary

Questions
1

Hello,

I’m trying to confirm whether Universal Logout is feasible in our architecture and would appreciate pointers to documentation.

Our setup: customer IdPs federate into Okta via SAML 2.0, and Okta acts as the intermediary IdP to our application.

What we’ve ruled out: front-channel or back-channel IdP-initiated SAML SLO from the customer’s IdP into Okta, since Okta does not appear to expose a SingleLogoutService binding in the SP metadata it generates for inbound SAML federation. Please correct me if this is wrong or has changed.

What we’re hoping to confirm: whether we can support Universal Logout as a receiver so that, when a customer revokes a session or signs out at their upstream IdP and Okta’s session is consequently terminated, our application is notified and can revoke its session in turn.

Any links to current documentation would be very helpful.

Thanks!

2

Hey,

Thanks for asking this question,

  1. Inbound SAML SLO (customer IdP → Okta) Its not currently supported.
  2. Your app can be a ULO receiver Initiate the global revocation of all tokens and sessions , but ULO does NOT itself listen for upstream IdP session-end events. So in your federated flow, terminating the User IdP session will not bubble up to Okta, ULO only fires when Okta’s session is killed by either admin action, or During any security breaches but SAML logout is not a trigger sadly.

You’ll need a way to kill the session either way as a manual task, which maybe hitting the session API, but unsure on that flow for your use case as its not equivalent to an admin action, but you can try it out given the time - Sessions

Closest option to what you are looking for is acting as an SSF Reciever Configure an SSF receiver and publish a SET | Okta Developer which should work in theory, Basically Okta consumes CAEP session-revoked events. But only works if your IdPs can act as SSF transmitters.

3

Hi Krishna, thanks for the response!

Thanks for confirming (1)

Inbound SAML SLO (customer IdP → Okta) Its not currently supported.

Are there plans to support back-channel OIDC SLO?

On (2)…

Your app can be a ULO receiver, but ULO does NOT itself listen for upstream IdP session-end events. So in your federated flow, terminating the User IdP session will not bubble up to Okta, ULO only fires when Okta’s session is killed by either admin action, or During any security breaches but SAML logout is not a trigger sadly.

That’s good to know! If I’m understanding correctly, in a setup where Okta is the IdP and we’ve implemented a ULO endpoint, a user logging out of their Okta session would not result in our ULO endpoint being called? And would a user clicking “End all sessions” from the End User Dashboard (as opposed to an admin terminating sessions) trigger the ULO endpoint, or is that also outside the set of triggers?

Even scoping this to admin-initiated terminations is a valuable feature for us, but broader controls would be better. Is there any public roadmap around expanding Universal Logout to cover user-initiated logout flows?

You’ll need a way to kill the session either way as a manual task, which maybe hitting the session API, but unsure on that flow for your use case as its not equivalent to an admin action, but you can try it out given the time - Sessions

This aligns with my expectation that our app would need to receive the ULO call and then terminate the corresponding session in our intermediary Okta instance via the management API. Makes sense — thanks for the clarification.

Closest option to what you are looking for is acting as an SSF Reciever, which should work in theory, Basically Okta consumes CAEP session-revoked events. But only works if your IdPs can act as SSF transmitters.

Thanks for sharing this – we would rather support a dedicated SLO mechanism like back-channel OIDC than take this approach, that said.