Single Logout Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Vikas RajendraVikas Rajendra 

Single Logout

I am trying to get SAML Global Logout to work in Spring sample application with Okta. After setting the parameters in the advanced settings as specified in the link, I am getting an error regarding destination endpoint: SAML message intended destination endpoint did not match recipient endpoint
The error is because in SAML Logout response from Okta destination is of SP’s SSO endpoint but the message is posted to SP’s single logout endpoint:
<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/OktaSLOSample/saml/SSO" ID="id21496932117164504147781404"...
Below are the values used in SAML settings:
Single sign on URL/ Recipient URL/ Destination URL: http://localhost:8080/OktaSLOSample/saml/SSO
Audience URI (SP Entity ID): http://localhost:8080/OktaSLOSample/saml/metadata
Enable Single Logout: True
Single Logout URL: http://localhost:8080/OktaSLOSample/saml/SingleLogout
SP Issuer: http://localhost:8080/OktaSLOSample/saml/metadata
Signature Certificate: Have uploaded the certificate of alias apollo extracted from samlKeystore.jks
Noticed that destination of SAML LogoutResponse always has the value from “Destination URL” SAML setting. This doesn’t work since SP would have different SSO and SingleLogout endpoints. If I change the destination URL in Okta app to http://localhost:8080/OktaSLOSample/saml/SingleLogout, single logout would work but not login. Can you please help me with this issue?
ThomasThomas (Okta, Inc.) 
This is a technical question which is highly complex, we have assigned it to one of our Support Engieners.  We will update the Community here, when the answer has been identified.  

Tom Hill
Support Communty Manager, Okta
Vikas RajendraVikas Rajendra
Hi Thomas,

Any updates on this question?

Vikas RajendraVikas Rajendra
Engineering team has confirmed that this is indeed a bug for a case I had opened on the same topic. The identifier for this issue is OKTA-69971. Once this issue is resolved, the identifier should be listed in the Okta release notes.

- Vikas
ThomasThomas (Okta, Inc.) 
From Okta Support:

Hi Vikas,

Just wanted to let you know that the release version for this fix (OKTA-69971) is 2015.44, which is due to go live tomorrow evening for orgs, and will flow into production next week.

Please let us know if you have any additional questions. If not, we'll close this case out tomorrow afternoon, which you may also re-open at any time if it's determined the issue is not resolved. Thanks for your patience in allowing us to resolve this issue for you.
Thank You,

Jon Kraatz
Okta Global Customer Care
Vikas RajendraVikas Rajendra
Thanks for the update Jon. I was able to test the fix successfully in

- Vikas
naresh kumarnaresh kumar

Hi, I am trying to do POC on Single Sign On. I am little confused what could be the single on config variables as you mentioned 
Single sign on URL: http://localhost:8080/OktaSLOSample/saml/SSO
Audience URI (SP Entity ID): http://localhost:8080/OktaSLOSample/saml/metadata

If my server runs on localhost:3000. Can I replace the localhost:8080 with localhost:3000?

But When I go through documentation of okta they provided Single Sign on URL and Audience URI same as in the below format

So, then what could be the Single  sign on URL and Audience URI?