MeganN.08084 (Customer) asked a question.
SAML: Can Okta respect the Subject assertion in the SAML Request?
Hey all,
I've looked over the documentation, and can't find a way to get Okta to pay attention to a Subject assertion in the SAML request. SAML works fine for a single user, but it appears to break in this scenario:
- User initiates login from SP to Okta with one account (1@gmail.com)
- User is authenticated and redirected back to SP
- User logs out of SP, but Okta session is still in place.
- Another user initiates SAML flow from the SP on the same device (2@gmail.com)
- This user is redirected to the active Okta session and is logged in and redirected to the first user's account on the SP.
It's not desirable to use the Sessions or Auth APIs to fix this flow. It would be helpful if Okta could respect the user information sent over the in the SAML request, knowing to force re-authentication if the subject does not match in the request of the remembered user. Is this at all possible?
You could configure "SLO (Single-Log-Out)" but that might not solve every use case. Looks like this has been known behavior for some time. https://support.okta.com/help/s/question/0D51Y00007tCXqGSAW/okta-session-vs-multi-myapp-user-issue?language=en_US
You might look at Okta Ideas for related feature requests so you can upvote or start your own request. Maybe with enough votes Okta will do something about this. https://support.okta.com/help/s/article/Okta-Ideas-Overview-FAQ?language=en_US