I have two Applications A and B. App A is configured using OOTB application and App B is configured using SAML 2.0. Both apps use SP initiated URLs for SSO and I am able to login successfully. But when I click on logout and paste the URL in a different tab same browser, I could able to login to the app without the need for credentials that is because the Okta session is still valid.
Is there a way to invalidate Okta session when we click on the SP logout button? I need it for both OOTB and app created using SAML 2.0.
Alex here with Okta's Customer Support Team, thank you for reaching out to us.
From what I can see based on your description, you`re seraching for Single Logout, that would help you to also signout from Okta when you click the Sign out button from the SP. We curently support this for SAML, however, the application (SP) you`re using must also support Single Logout.
Here are some detils : Single Logout – Allows users to log out of both a configured custom app and Okta with a single click (but not out of other apps that may be open). For more information, see the section Single Logout Profile in the guide Profiles for the OASIS Security Mark Up Language (SAML) version 2.0. (http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) If Enable Single Logout is specified, the following three options are available.
Single Logout URL – Specify where you want to send the logout response.
SP Issuer – The issuer for the service provider.
Signature Certificate – Determines the public key certificate used to verify the digital signatures. Browse to select the certificate, then click Upload Certificate.
Note: If SAML Single Logout is configured, a field for Identity Provider Single Logout URL appears in the SAML 2.0 setup instructions.