We Solved the Okta Single Logout with SAML
by: Social
We have seen this problem lately and solved the problem of Single Logout (SLO). SLO is a feature in federated authentication where the end-users sign out of both their Okta session and a configured application with a single logout action.
SSO makes our life easier so we can effortlessly log into various web applications. But this luxury comes with drawbacks:
Users often forget to log out of every session during SSO, and this can lead to these vulnerabilities:
Single Logout Protection from:
- Session Hijacking
- XSS
- Man-in-the-middle attacks
Remember, just because you can log out of a Service Provider (SP) does not mean you are also logging out from your IdP (Okta). When you log out of an SP (app), you only clear your local session (log out). Suppose your IdP is redirecting unauthenticated users to an SP automatically (standard behavior). In that case, logging out won't have any effect because the user will be redirected to the IdP and then redirected back to the SP with a brand new session. SSO doesn't make it easy to log out.
That's is why a true Single Log Out (SLO) experience helps reduce the vulnerabilities, as mentioned earlier.
Watch our Okta SLO Demo Video.
What are the Okta SLO Requirements?
SLO does have its requirements and restrictions. For example, both parties (the IdP and the SPs) must support the SAML Single Logout protocol. But for custom applications where you own the code, SLO is a solution you can always provide.
In short, we solved when you log out of the SP; you also log out of the IdP not only in one device but all devices. Iron Cove creates an authentic Single Log Out experience.
Iron Cove has an SLO solution that can potentially work for you. Call today at 888.959-2825 for a Security Consultation.
Reference https://blog.bio-key.com/2016/06/20/saml-single-logout-need-to-know