<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007WkOy0CAFOkta Classic EngineSingle Sign-OnAnswered2024-04-16T10:44:36.000Z2022-03-25T16:49:53.000Z2022-03-28T19:29:50.000Z

Dan NK.71664 (Customer) asked a question.

March 25, 2022 at 4:49 PM
Single Log-Out Okta

Hello,

 

I have been implementing Okta Auth with many applications via Single Sign On.

 

We have noticed there is an issue with logging out of Okta/Applications.

 

First and foremost, when a user logs out of their Okta Session via the Okta Platform they are still authorized in the corresponding applications until the refresh token expires.

 

Ideally the user is supposed to be logged out of every application on the browser and the tokens revoked. I have followed documentation for SLO here: 

https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm*:~:text=Single%20Logout%20(SLO)%20is%20a,to%20end%20the%20Okta%20session.

I followed the documentation with two of my OIDC Angular applications. I have noticed that when both applications are logged into the browser, and I redirect to the logout url from the application, I do not log out of the Okta session and the applications. But when there is a single application authorized in the browser it does log out of both the application and the user session.

But I have not been able to deauthorize all application sessions from signing off from the Okta platform itself. This is a very important feature which I believe should be the default behavior. Once an Okta user session is ended all application sessions associated with that user should be ended as well.

 

I would appreciate support to debug this issue and find appropriate options.

  • 2 answers
  • 1.06K views

  • 3yvdl (3yvdl)

    @Dan NK.71664 (Customer)​, thank you for providing details of the issue. One of our product experts will reply soon to help troubleshoot further.

  • ErikM.01943 (Customer)

    @Dan NK.71664 (Customer)​ - OAuth2 is an authorization protocol and does not define a SLO standard.

    In the case of how OIDC applications handle a session after a user logins is independent. Some will use the expiry time from the access/id token, while others use their own session management logic.

     

    The Okta SLO option with an OIDC application will log the user out of the browser application (potentially multiple apps if session storage is being used), and log the user out of their Okta session.

     

    From https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm

    • SWA applications don't support the SLO operation.
    • SLO doesn't sign the end user out of other integrations that may be open.
    • Okta doesn't sign out web applications.
    • Not all app integrations support SLO. If the SP supports SLO in their downstream application, it is noted as a supported feature in their app configuration guide. Contact your SP directly to request that they add support for SLO.

     

    If you have an application that can act as a management application (can secure an API Token), then on logout your application could call clear user sessions and pass the option to include access/refresh tokens. This would invalidate all the users tokens. However if some integrated applications don't rely on these tokens after login, this would have no effect.

    Other applications that use an access/refresh token would not know the user is logged out until attempting to use the refresh or access token.

    Expand Post
This question is closed.
Loading
Single Log-Out Okta