When clearing a user's sessions and tokens as an Okta admin, how can I ensure this event is propagated to the user's assigned SAML application?

There are three components to the project I’m working on:

  1. The SP is the SAML app assigned to the user, as mentioned in the title.
  2. I’m using Okta as an external IDP.
  3. I’m using an identity broker to act as a go-between for Okta and the SP.

When I clear the Okta user’s session and revoke their tokens, how can I ensure that the identity broker is notified of this event? Is there some setting I need to turn on? Do I need to have single logout turned on? I would expect that Okta sends a request to the ACS URL I provide, thus notifying my identity broker of change, but this doesn’t seem to be happening.

Hi @kevinarthur

Single logout refers to closing the session in Okta when the session in the application is closed.

For the application to get notified about the session being closed in Okta, you can use Event Hooks (webhooks) tailored to user.session.end event.

When the user would log out from Okta, your application would receive the notification through server-side on the endpoint configured and, after parsing the body of the request, you can close the session for the specific user inside the application.

If you don’t have the feature enabled for Event Hooks, please feel free to send an email to support@okta.com and ask for WEBHOOKS feature to be enabled on your Okta tenant.

Great, thank you! This is helpful. So when configuring the SAML App in the wizard, is there a place where I need to specify the endpoint for the SP to which the logout event should be sent?

@dragos Oh it looks like setting up Event Hooks is separate from setting up a SAML app. I would think that there’s a way for Okta to send a SAML assertion to the SAML app indicating that the user’s Okta session has ended. Is this not possible? The only mechanism is Event Hooks?

Hi @kevinarthur

At the moment, only Event Hooks can be used to achieve this use-case and close the user’s session inside the application when he logs out from Okta.