63kyh (63kyh) asked a question.
I'm planning to use Okta's Inbound Federation feature (https://developer.okta.com/docs/concepts/identity-providers/) to implement support for customers to bring their own IdP. The implementation is something along the lines of:
1. Add customer IdP as an IdP in Okta by adding it (https://developer.okta.com/docs/reference/api/idps/*add-saml-2-0-identity-provider)
2. Redirect the user to the links.authorize authorisation URL for that Okta-registered IdP
3. In our app, consume the ID Token at my App's "callback"/redirect_uri
One question I had was: does Okta Inbound Federation support IdP-initiated SLO? The use case would be: a User signing out of their registered IdP wanting to also sign out of my app. In this case, since my app is basically a RP to Okta, my thinking was to implement an endpoint to handle OIDC backchannel logout (https://openid.net/specs/openid-connect-backchannel-1_0.html*BCRegistration); but before going deeper in that direction, my question is: does Okta actually support this?
Thanks in advance.
It's not really a question of Okta support. Does your federated IdP support a logout endpoint that will be requested if the users requests logout of the IdP. You have to get that logout event from the IdP and get it to trigger behaviour in Okta, and then on to your custom application. The federated IdP integration with Okta is fairly loose.
It would be far easier to support logout of your application and then trigger the logout from Okta and the IdP ( after optional session checks to determine current logged in state ).
But if your IdP does support a logout endpoint, and it also supports a post logout redirect, you could consider chaining those requests together yourself. i.e.
https://youridp.com/logout?redirectURI=https://youroktatenant.com/login/signout?fromURI=https://yourcustomapp/logoutendpoint.
I've done that before to handle logging users out of multiple Okta tenants that are in a hub/spoke. But the answer depends on your IdP capability in the logout, or how you get your users to logout of the IdP
> You have to get that logout event from the IdP and get it to trigger behaviour in Okta, and then on to your custom application. The federated IdP integration with Okta is fairly loose.
>
> It would be far easier to support logout of your application and then trigger the logout from Okta and the IdP ( after optional session checks to determine current logged in state ).
Your suggestion is indeed simpler, but (and I should have mentioned this) the main use case for me would be to allow the Admins of these customer IdPs to "offboard" their Users and have that trigger a signout of those user from my app, rather than allowing the Users themselves a "smooth" logout experience from their IdP (though, implementing the former would allow the latter).