Implementing integration with Okta as SP application, I found one case, which I would like discuss regarding 4.4 Single Logout Profile implementation.
We have two SP application integrated with Okta also with single logout functionality enabled.
1. User logs in into SP1 via OKTA.
2. He uses current session to log in into SP2.
3. User has 3 "separated" valid sessions: SP1, SP2, Okta IDP.
4. User performs Single Logout from SP1.
5. SP1 generate Logout Request, sends to Okta IDP, which invalidate session and send back Logout Request to SP1.
6. SP2 try to perform Single Logout, however because of already invalidated session in Okta IDP, after sending Logout Request, user are asked for credentials when redirected to SLO page and before Logout Response is generated.
So question is, does behaviour (from pt. 6) is expected and compilant with SAML Profile spec ?
I assumed, that IDP will generate LogoutRespone with error status, but could'nt found clear answer in specification. Only:
184.108.40.206 Identity Provider Issues <LogoutResponse> to Session Participant
After processing the original session participant's <LogoutRequest> as described in the previous steps
the identity provider MUST respond to the original request with a <LogoutResponse> containing an
appropriate status code to complete the SAML protocol exchange.