<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z00008yaxmVCAQOkta Classic EngineAnswered2024-05-25T09:03:10.000Z2023-03-24T13:09:38.000Z2023-03-27T14:55:05.000Z

qul8k (qul8k) asked a question.

OIDC Log Out not working properly with Hub and Spoke model where the application is integrated in spoke

Hi All,

 

We have a Hub and spoke model integrated in ourenvironment. Recently we integrated an OIDC application in spoke, when testing the integration in mobile app i'm experiencing the below issues. Can any one help on this

 

Case 1: When the users click log out on the mobile app and tried to login again, he is not being challenged again for credentials but simply allowed to log in. This is a security breach as the mobile is a shared device and will be used by many users. This behaviour is same in Web browser too

 

Case 2: We have a sign on policy configured where the users selects "Not to challenege" option for MFA then users will not be challenged with MFA for 15 days. This working as expected if the user access the OIDC application in web browser but through mobile app when multiple users are logging in on the same device though they selected "Not to prompt" option still they are being challenged with MFA for evry login.

 

Regards,

Hanushma


  • Paul S. (Okta, Inc.)

    Hello @qul8k (qul8k)​ Thank you for reacting out to our Community!

     

    For the log out issue, please see the below document that should address this issue:

    https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm

     

    For the MFA issue, this might be expected behaviour as the do not challenge option is based on cookies, and if they are reset/removed then the user will be challenged again.

    Please also see: https://support.okta.com/help/s/article/Why-do-I-keep-seeing-MFA-prompts?language=en_US

     

    Additionally if you need further assistance we recommend to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.

    https://devforum.okta.com/

     

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Expand Post
  • qul8k (qul8k)

    Hi Paul,

     

    Thank you for the reply. Understood for MFA issue. But regarding SLO, since this is hub and spoke the SLO was configured for the Spoke but since the Hub session is active(as the user will be autheticated agianst Hub woth org2org config) , the user is allowed to Log in with out being challenged futher. Is ther any way that we can create the session at Hub level?

     

    Regards,

    Hanushma

    Expand Post
    • Paul S. (Okta, Inc.)

      For the SLO you would use the Logout URL from the Org2Org application setting found the the Sing on tab of the application.

This question is closed.
Loading
OIDC Log Out not working properly with Hub and Spoke model where the application is integrated in spoke