Single Logout Profile usage when user already logged out from Okta Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfdqia4&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Krzysztof JorzakKrzysztof Jorzak 

Single Logout Profile usage when user already logged out from Okta

Hello, 
Implementing integration with Okta as SP application, I found one case, which I would like discuss regarding 4.4 Single Logout Profile implementation.
We have two SP application integrated with Okta also with single logout functionality enabled. 
Imagine flow;
1. User logs in into SP1 via OKTA.
2. He uses current session to log in into SP2.
3. User has 3 "separated" valid sessions: SP1, SP2, Okta IDP.
4. User performs Single Logout from SP1.
5. SP1 generate Logout Request, sends to Okta IDP, which invalidate session and send back Logout Request to SP1.
6. SP2 try to perform Single Logout, however because of already invalidated session in Okta IDP, after sending Logout Request, user are asked for credentials when redirected to SLO page and before Logout Response is generated. 

So question is, does behaviour (from pt. 6) is expected and compilant with SAML Profile spec ?

I assumed, that IDP will generate LogoutRespone with error status, but could'nt found clear answer in specification. Only:

4.4.3.5 Identity Provider Issues <LogoutResponse> to Session Participant
After processing the original session participant's <LogoutRequest> as described in the previous steps
the identity provider MUST respond to the original request with a <LogoutResponse> containing an
appropriate status code to complete the SAML protocol exchange.

BehrouzBehrouz (Okta, Inc.) 
That's a normal behavior as when you sign out of the SP, there will be no available session and you will need to re-authenticate.