We have an environment set up with a single IDP and two to three SPs. When logging in on one SP, navigating to another (who ‘logs in’), returning to the first and attempting to initiate SLO, the SLO fires twice from the SP and the second SLO call fails, breaking the whole SLO.
I have the SAML trace and can email it.
Hi,
I’m having a similar issue, what did you do to fix it?
We have an environment set up with Okta as a single IDP and one (1) SP. We are able to log in on our SP and navigate the application. When we try to log out (we initiate SLO from SP), the SLO fires twice from the SP and the second SLO call fails, breaking the whole SLO. This will cause the current user to stay connected to Okta (The logout response status code indicates a failure but logout will continue).
Regards,
I don’t think this is the same issue. The log from the OP showed InitiateSLO being called twice by the application.
The log you’ve sent only shows a single call to InitiateSLO.
Okta is returning a urn:oasis:names:tc:SAML:2.0:status:AuthnFailed status in the logout response.
Please take a look at the Okta system log. Hopefully it has more specific information explaining why it’s returning this error status.
In our testing with Okta, we saw no issues with SP-initiated SLO. The issue you’re seeing might be configuration related.