<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007GTqLzCALOkta Classic EngineSingle Sign-OnAnswered2024-03-25T07:23:32.000Z2021-11-02T14:48:35.000Z2021-11-05T12:03:28.000Z

axnlj (axnlj) asked a question.

Edited November 2, 2021 at 2:49 PM
Single SignOut for OKTA Running as an Identity Broker

Hi there,

 

I have an OKTA instance that I am using as an Identity Broker. With OIDC, this is pointing to a single IDP, which is pointing to another IDP. My app, the broker and the two IDPs are assigned sessions after signing in.

 

Now I would like to sign out of the application and clear all session cookies. I came across this:

 

https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm

 

Okta doesn't sign out web applications.

 

Does this mean this our Identity Broker is capable of creating sessions but not capable of doing the reverse (removing them)? Perhaps this means OKTA cannot kill sessions in the back channel.

 

I also noticed Enable SLO for OIDC integrations. Could this post_logout_redirect_uri query string parameter be used to point to the first IDP in the chain (logout)?

 

Any help would be greatly appreciated. Thanks!

  • 2 answers
  • 516 views

  • axnlj (axnlj)

    Hi Natalia,

     

    Thank you for getting back to me.

     

    When a service provider (my app) signs out of the application, it is configured to sign out of a OKTA instance. This is working as expected.

     

    However, I am having trouble with our OKTA instance sending a logout to other domains. OKTA is capable of sending the user to another Identity Provider (for example, Microsoft) to log in. However, I want to configure this instance to also sign out of the Identity Providers.

     

    Logging into the application sets the session cookie in three domains:

     

    [myapp.com] -> [OKTA] -> [Microsoft]

     

    Signing out of myapp.com does not sign out the third domain:

     

    [myapp.com] -> [OKTA] -> [Microsoft]

     

    Although this makes signing into applications convenient, it's a significant security flaw. I would like a way to configure my OKTA instance (acting as a Identity Broker) to remove the session cookies it has created.

     

    If this is not possible, could you disclose whether this is piece of functionality is on the road map?

     

    Thanks again,

     

    Damien

     

    Expand Post
This question is closed.
Loading
Single SignOut for OKTA Running as an Identity Broker