Configuring Single Sign-Out with an Okta SAML Application

Hello folks!

It's been a while since my last tech-related blog post. Sometimes I think that the problems my team and I solve on a daily basis simply don't merit a blog post. However, I want to improve my writing skills and get as much knowledge out there as I can.

Configuring Single Sign-Out with Okta

The service provider that I am using is actually an AWS Cognito pool with a direct SAML federation with Okta. There is only one "gotcha" that I ran into. I'll get into that below.

Step 1:

Navigate to the Application's SAML configurations by clicking on the SAML application, going into the "General" tab, then "Edit" in the SAML Settings section.

Step 2:

Navigate to the "2 Configure SAML" section, then hit "Show Advanced Settings"

Step 3:

Check "Allow application to initiate Single Logout". Additional fields will be displayed once this is checked:

• Single Logout URL - This is a URL that is supplied by the service provider. In this case, since I was using AWS Cognito, I was able to retreive this URL from the console.
• SP Issuer - This is the issuer of the service provider that will used to validate the SAML request. I made this the same as the "Audience URI"
• Signature Certificate - The public key certificate used to verify the digital signatures. (Note: you must ensure that the file has the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" header and footer in order for Okta to successfully recognize the file.) My service provider didn't provide the file itself, but just the certificate string without the headers and footers. I had to put this string into a file and add the headers and footers, then upload it.

Save your configuration changes, and that's all! You can confirm this is working by signing into your application (via Okta), then signing out using your service provider's sign-out URL. You should then be prompted to log-in again, since single sign-out clears the user's Okta session.