SLO: Okta

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Sept 10, 2021 by Ole Kristian Aune (Unlicensed)
3 min read

Okta does not expose SingleLogoutService URLs in its metadata until SLO has been enabled in Okta, nor does it support service provider metadata import, so configuration is mostly manual. Begin configuration by logging into the Okta administration console. Make sure you're using the classic view (top right corner), as the new developer console does not provide the SAML configuration tools.

On the "General" tab of the appropriate Okta app, click the Edit button for the SAML Settings section. 

Just click Next to skip the first page that comes up (1-General settings). This should take you to 2-Configure SAML. Click "Show Advanced Settings" here to expand settings for Single Logout:

The following properties should now reveal themselves. 

To obtain values for "Single Logout URL," "SP Issuer," and "Signature Certificate,” we'll need to return to Kantega SSO briefly. Open Kantega SSO in a separate browser window:  Navigate to the Okta IDP, and locate the "URLs and certs for IDP setup" menu in a separate browser tab.

In Okta:

  • Check Enable Single Logout

  • Single Logout URL: cut&paste the value of "SP Logout URL" from Kantega SSO.

  • SP Issuer: Cut&paste the value of "Entity ID" from Kantega SSO.

  • Signature Certificate: Click the "Download (.cer file)" link in Kantega SSO to save the service provider certificate to disk. Then click browse in Okta, then Upload Certificate. Okta should briefly flash an "OK" popup if successful.

After all values have been configured, scroll to the bottom of the Okta configuration page and click next. On the next page, choose "I am an Okta customer adding an internal app" and check "This is an internal app," then click Finish on the next screen. SLO should now be enabled on the IDP side.

To finish configuring the service provider, a metadata refresh must be performed. Navigate to the Okta IDP and select Metadata from the navigation menu:

The URL should be already there. If so, click Save. Then, go to the Single logout menu, where the SAML provider logout URL should be configured. Enable Single-logout, then finally Save.

SAML Single logout should now be enabled and used for new Okta sessions.