<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008p3pinCAAOkta Classic EngineIntegrationsAnswered2026-04-01T09:00:20.000Z2023-02-20T08:15:45.000Z2023-02-22T04:48:22.000Z

y5g9y (y5g9y) asked a question.

February 20, 2023 at 8:15 AM
Not able to configure Single Logout(SLO) in Okta using a SP initiated request in App Integrations using SAML 2.0 even when I have provided the below configuration settings in the wizard

I am trying to implement Single LogOut from my Service Provider using Okta. I have the app configured in Okta. The SSO is working fine. Just that when I am logging out of the application it is not logging me out of Okta as a result if I re login it is just logging me with the same user name without taking me to the log in page.

 

I am trying to implement Single LogOut from my Service Provider using Okta. I have the app configured in Okta. The SSO is working fine. Just that when I am logging out of the application it is not logging me out of Okta as a result if I re login it is just logging me with the same user name without taking me to the log in page.

I have configured the SLO settings as seen in the picture.

 

Image is not available
Also I am using the Url from the IDP Metadata in the SP.

And I have updated the same Signature Certificate as provided by Okta as seen in the picture:

Image is not available

 

Requirements:

  1. When I log out, it should log me out of the current application as well as Okta.
  2. When I re log in, It should ask for credentials.

I tried looking into https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm 

But could not understand what the actual issue was.

  • 4 answers
  • 1.41K views

  • k5fuw (k5fuw)

    When you create a SAML app in Okta, the metadata includes an Okta-generated certificate that is used by the Service Provider to verify the signature of the SAML assertions that Okta generates during user logins for your app.

    For Single Log Out (SLO), the process is reversed - the Service Provider sends a signed request to Okta to log out the user. But before Okta takes any action, it has to verify the validity of the SLO request, and it does that by verifying the signature in the log out request. Since it is the Service Provider that signs the SLO request, it is the Service Provider that must provide you with a certificate that Okta can use to verify the SLO requests. That's the certificate you need to load into the Signature Certificate field.

    Expand Post
    Selected as Best

  • a0n5s (a0n5s)

    could you provide the full setting of Okta and your application? I provide the Network of chrome developer mode when you logout from your application.

    • y5g9y (y5g9y)

      Hi Hengfeng,

      I was able to look into it further and found in the System Logs in Okta that I am getting an 'Invalid Signature' error.

      I believe it is occurring due to invalid Certificate. Could you may be let me know if we should be using the same Certificate as Signature Certificate which Okta provides.

      If not then which certificate can I use or may be a way to generate such certificates.

       

      Thanks

      Expand Post

  • k5fuw (k5fuw)

    When you create a SAML app in Okta, the metadata includes an Okta-generated certificate that is used by the Service Provider to verify the signature of the SAML assertions that Okta generates during user logins for your app.

    For Single Log Out (SLO), the process is reversed - the Service Provider sends a signed request to Okta to log out the user. But before Okta takes any action, it has to verify the validity of the SLO request, and it does that by verifying the signature in the log out request. Since it is the Service Provider that signs the SLO request, it is the Service Provider that must provide you with a certificate that Okta can use to verify the SLO requests. That's the certificate you need to load into the Signature Certificate field.

    Expand Post
    Selected as Best

    • y5g9y (y5g9y)

      Hi Mike,

      Thanks for replying!

       

      In my case I have just a sample webform application which I have created. As a result I do not have the specific certificate that is required.

      This certificate is quite new to me so finding it hard to understand.

       

      How can I get the above mentioned certificate?

      Any reference or example would be a great help. Thanks!

       

      Also, I am getting the below error in the logs.

      Image is not available
       

      Thanks!

      Expand Post
This question is closed.
Loading
Not able to configure Single Logout(SLO) in Okta using a SP initiated request in App Integrations using SAML 2.0 even when I have provided the below configuration settings in the wizard