When a user attempts to log out of a Security Assertion Markup Language (SAML) application, the Single Logout (SLO) process fails, and the Okta System Logs show the message:

FAILURE: Issuer does not match

• Single Logout (SLO)
• Security Assertion Markup Language (SAML)

This error occurs because the Issuer value sent by the Service Provider (SP) during the Single Logout request does not match the Issuer value configured in the application's Okta settings.

The Issuer value is a unique identifier for the Service Provider. For a successful SLO, the value sent by the application must precisely match the value that Okta has on record for that application's SAML configuration.

To resolve this issue, it is necessary to identify the exact Issuer value being sent by the Service Provider and update the Okta application configuration to match it.

Steps to Identify the SP Issuer Value:

1. Access the Okta System Logs by navigating to Okta Admin Console > Reports > System Log.
2. Use the following query to filter the logs for the failed SLO event: 

   legacyEventType eq "app.auth.slo.saml.invalid_issuer"

3. Expand the details of the relevant log event and follow this path to find the correct Issuer value: Event > System > Debug Context > Debug Data > Issuer.
4. The value found at this location is the correct Issuer string being sent by the SP. Copy this value.

Update Okta Configuration:

1. Go to the Okta application for which SLO is configured.
   1. Navigate to the SAML Settings or General tab.
   2. Locate the Audience URI (SP Entity ID) or a similar field. This is the field that holds the Issuer value.
   3. Paste the exact value copied from the System Logs into this field.
2. Save the changes and test the Single Logout functionality from the application again to confirm the issue is resolved.