<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001Bce4s0ABOkta Classic EngineSingle Sign-OnAnswered2025-07-31T15:25:11.000Z2025-07-30T14:52:52.000Z2025-07-31T15:25:11.000Z

MatthewH.10249 (State of Iowa) asked a question.

July 30, 2025 at 2:52 PM
How can a SP app implement SLO for Org2Org users?

We have 2 Okta tenants that we have established an Org2Org hub-and-spoke model. When an OIDC app is established on the Hub tenant that has users that redirect to the spoke tenant for authentication, is there a way to log them out of both Hub and Spoke tenant using SLO? Currently we only are able to log them out of the Hub app. The issue with this is that we want to force MFA every login and when the user logs out of the app and then tries to log back in they are redirected to the Spoke app for which they already have an active session and thus not prompted for a password or MFA and are automatically redirected and reauthenticated in the Hub app. Mainly looking for a way to force MFA every time someone tries to access the app on the Hub tenant.

  • 1 answer
  • 133 views

  • Paul S. (Okta, Inc.)

    Hello @MatthewH.10249 (State of Iowa)​ Thank you for posting on our Community page!

     

    There are a few things you can do here:

    1. You can make the application to always ask for authentication, thus forcing users to login every time they access the app. You can configured to send a special message called prompt=login when it asks the Hub Okta tenant to authenticate the user.
    2. You can make the Spoke session shorter so that there is no active session.
    3. You can use Okta's Smart Logout Feature (I think this would be you best option):

    Okta has a specific feature called "Single Logout for IdPs". This is designed exactly for your situation!

    When you log out of your Hub app, this feature tells the Spoke Okta tenant to also end its session for that user. For this you need to reach out to Okta Support to have this feature enabled for your tenants.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best

  • Paul S. (Okta, Inc.)

    Hello @MatthewH.10249 (State of Iowa)​ Thank you for posting on our Community page!

     

    There are a few things you can do here:

    1. You can make the application to always ask for authentication, thus forcing users to login every time they access the app. You can configured to send a special message called prompt=login when it asks the Hub Okta tenant to authenticate the user.
    2. You can make the Spoke session shorter so that there is no active session.
    3. You can use Okta's Smart Logout Feature (I think this would be you best option):

    Okta has a specific feature called "Single Logout for IdPs". This is designed exactly for your situation!

    When you log out of your Hub app, this feature tells the Spoke Okta tenant to also end its session for that user. For this you need to reach out to Okta Support to have this feature enabled for your tenants.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best
This question is closed.
Loading
How can a SP app implement SLO for Org2Org users?