I have already set up Single Logout on an Okta application.
And I am able to see Single Logout URL being generated by Okta.
As a developer of a service provider implementation, what do we do with this URL?
- Redirect the user to this SLO URL?
- Send an empty POST request to this SLO?
- Send a POST request with some payload of some kind to this SLO?
- We embed this in the HTML as an embedded iframe?
There aren’t a lot of information about what we do with this SLO URL, other than knowing that “we have to provide the SP this SLO URL” and everything else is vague and unclear. What does this SLO URL really do for us?
The SLO URL is the URL where Okta will POST too after the SAML SP sends a logout request to Okta, see Configure Single Logout in app integrations | Okta
Single Logout URL — the URL for the SLO return. This is a URL on the service provider where Okta sends its sign out response (as a POST operation). If the SP doesn't have a specific SLO URL, the main SP URL can be used.
The SP would initiate the logout using the IdP (Okta) SLO endpoint.
This can be retrieved by,
- In the Sign On settings tab, on the Settings panel, click View Setup Instructions.
- The page that appears shows the Identity Provider Single Logout URL. Copy this URL and add it into the configuration settings back in your SP application.
Sample of a sign out request sent by the SP, SAML Logout Request Examples | SAMLTool.com
Sample of a sign out reply returned from an IdP, SAML Logout Response Examples | SAMLTool.com