JeongmoK.84814 (Customer) asked a question.
What is the best practice on logging out app?
My app is integrated with SSO but it also maintain our own use session/user token for both local user and SSO user.
When user log out off my app,
do I have to log off IdP as well? It can affect the other apps using the same SSO.
Or just I can logout with local user session without IdP logout? In that case, is there any security concern for this?
If there is any recommendation/guideline for logout policy, please let me know.
Thanks
Jason
Hi @JeongmoK.84814 (Customer) , Thank you for reaching out to the Okta Community!
There is the potential of implementing Single Logout (SLO) but depending on how the user's workday looks like, that might not be required.
If the user needs access to multiple applications during the day, SLO would not be ideal as it would trigger an Okta session end as well, essentially forcing the user to re-authenticate with Okta Each time they need to use a different app.
The best way to handle this is by setting up reasonable idle session lifetimes (a few hours maybe - enough for them to work, but not long enough for it to become a potential security issue if they forget to manually end the session) both in Okta and in the app if possible.
Wherever possible, Multi-factor Authentication (MFA) is also highly recommended for an increased layer of security.
Hope it helps!