IdP initiated SLO

Hello,
I am working with a 3rd Party who is acting as the IdP (using Okta). I am one of many vendors using SSO with this company, so there could potentially be a dozen or more actively logged in applications at any given time.
I am using IdP initiated SSO. The request they have is that if they logout of the IdP in one tab, my application (running in another tab) should “automatically” be logged out as well (and whatever other apps that are also logged in).
When I say “automatically” I mean that they are not willing to send an SLO request to my application. They say that this wouldn’t make sense since on their end since there could be 10+ apps logged in and they would have to send requests to all of those apps, and they state other vendors are able to accomplish SLO with being sent an SLO request.

I have a .Net Core app where in my AssertionConsumerService method I Create/Signin to an account managed though the Identity framework (as per examples). Other than checking the SSO session on every request (which, I’m not sure how to do or if it would work) is there any other solution?

Not to confuse the issue, but I have a similar problem/request on the SSO side. The 3rd party expects to be able to login to their IdP in one tab, and be automatically logged in (at least not have to enter credentials again) to my application in another tab.

How can I solve either of these issues? (Note that normal IdP flow is working, meaning if I start on my application, do an IdP initiated login via redirect, then do logout from my side everything works fine).

Al…

SAML SLO specifies that the initiator send a SAML logout request to the other party which in turns returns a SAML logout response. This is how SLO works as per the SAML specification.

The IdP is responsible for sending a SAML logout request to all the SPs. This does make sense and is part of the SAML specification.

The following is an example IdP-initiated SLO flow involving multiple SPs.

1. IdP sends a SAML logout request to SP #1.
2. SP #1 sends a SAML logout response to IdP.
3. IdP sends a SAML logout request to SP #2.
4. SP #2 sends a SAML logout response to IdP.
5. This sequence repeats for each SP.

Having said that, in our experience Okta only supports SP-initiated SLO. It doesn’t send a SAML logout request for IdP-initiated SLO. Instead, the user is simply logged out from Okta.

I would like to know how other vendors achieve SLO without being sent a SAML logout request. It doesn’t really make sense and wouldn’t be SAML logout in that case. Perhaps they can provide some more details. I’d be interested to hear what they suggest.

If SAML SLO isn’t used, I’m not sure what alternatives there are other than for the user to close the browser.

The automatic login you described sounds like IdP-initiated SSO. The user starts at the IdP and SSOs to your SP. In Okta, this is either initiated by the user clicking your SP application icon or by navigating to a link. There usually is some user input to select the SP they wish to navigate to. The user won’t have to enter their credentials a second time.

In case it helps, you’ll find our Okta integraton guide at:

https://www.componentspace.com/Forums/8259/Okta-Integration-Guide