
qul8k (qul8k) asked a question.
Hi All,
We have a Hub and spoke model integrated in ourenvironment. Recently we integrated an OIDC application in spoke, when testing the integration in mobile app i'm experiencing the below issues. Can any one help on this
Case 1: When the users click log out on the mobile app and tried to login again, he is not being challenged again for credentials but simply allowed to log in. This is a security breach as the mobile is a shared device and will be used by many users. This behaviour is same in Web browser too
Case 2: We have a sign on policy configured where the users selects "Not to challenege" option for MFA then users will not be challenged with MFA for 15 days. This working as expected if the user access the OIDC application in web browser but through mobile app when multiple users are logging in on the same device though they selected "Not to prompt" option still they are being challenged with MFA for evry login.
Regards,
Hanushma

Hello @qul8k (qul8k) Thank you for reacting out to our Community!
For the log out issue, please see the below document that should address this issue:
https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm
For the MFA issue, this might be expected behaviour as the do not challenge option is based on cookies, and if they are reset/removed then the user will be challenged again.
Please also see: https://support.okta.com/help/s/article/Why-do-I-keep-seeing-MFA-prompts?language=en_US
Additionally if you need further assistance we recommend to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
Community members help others by clicking Like or Select as Best on responses. Try it today.
Hi Paul,
Thank you for the reply. Understood for MFA issue. But regarding SLO, since this is hub and spoke the SLO was configured for the Spoke but since the Hub session is active(as the user will be autheticated agianst Hub woth org2org config) , the user is allowed to Log in with out being challenged futher. Is ther any way that we can create the session at Hub level?
Regards,
Hanushma
For the SLO you would use the Logout URL from the Org2Org application setting found the the Sing on tab of the application.