When configuring Single Logout (SLO) for an application integration, the following error is encountered:

User single sign out from app
FAILURE: Malformed Request

This article explains why this error is seen and how to get past it.

• Single Sign-On (SSO)
• Single Logout (SLO)
• Security Assertion Markup Language (SAML)

This can be caused by the Service Provider sending a POST LogoutRequest to an incorrect Okta URL

• For Example, a POST call made to https://subdomain.okta.com/app/[app_name]/exk3gtrg4epBaoWHKs480/sso/saml.

• When using SAML Tracer to capture the flow of the Single Logout, it would be observed that the first SAML tag is a POST call, which is returning a 400 Bad Request.
  • By navigating to the SAML tab, review the Destination field.
  • The value found here might look similar to: https://subdomain.okta.com/app/[app_name]/exk3gtrg4epBaoWHKs480/sso/saml
• The value that needs to be used for SLO in tandem with the application can be extracted from View SAML Setup Instructions (on the Sign On tab of the Okta app integration). 
  • The SLO URL that will need to be updated on the application side should resemble the following:
    • https://subdomain.okta.com/app/[app_name]/exk3gtrg4epBaoWHKs480/slo/saml.
    • NOTE: The ending should be /slo/saml as opposed to /sso/saml.

NOTE: For custom SAML applications implementing SLO, ensure that the LogoutRequest from the application contains exactly one of the following elements: BaseID, NameID, EncryptedID/SessionIndex.