f7gld (f7gld) asked a question.
Single logout request doesn't send to other applications
I have 2 applications with configured SAML settings. I initialize logout from the first application and I expect that logout request will come to another one but it doesn't. So what I need to do to achieve expecting behavior?
And one more question, I don't want initialize single logout from second application but only receive logout requests. I see only one way to specify single logout url now by enabling "Allow application to initiate Single Logout" checkbox and specify it in corresponding field. But here is a problem I must specify certificate too. It seems not necessary for receiving logout requests and I want to know how I can specify only single logout url?
I think SLO only works in one direction with Okta, where the SP sends the request to logout of Okta. This is why there is an option to upload a certificate, as this is needed to verify the logout request from the SP. I don't think Okta supports SLO downstream to the apps. So logging out of Okta won't log you out of the SP.
I'm not 100% on this, but I think the reason this functionality isn't here is probably because of the requirement for several redirects and dependencies on the SP's. Think about the flow needed to achieve this: Logout of app0 > app0 redirect to Okta with SAML SLO > Okta session ends > Okta redirects to app1 for SLO > app1 session ends > app1 somehow redirect back to Okta? > Okta redirects to app2 for SLO... and this continues until you're logged out of the potentially 100 SAML apps the user is assigned... and I suspect you'd have to do this for every single SAML app, because Okta won't have visibility as to whether there's an active session with a given SP or not.