SAML SingleLogout (SLO) fails
Using an Identity Provider (IdP) such as OKTA for Single Sign On (SSO), user is able to log in but Single Logout (SLO) does not complete.
OKTA is a provider that does not handle SLO as per standard implementation.
Steps to Reproduce
1. Log in using SSO using SAML 2.0
2. Import IdP metadata
3. Try to logout
Standard SLO process involves calling the IdP to perform the logout at that source and provide the IdP with a URL to return so that Pega can complete its logout process.
1. OKTA does not have the capability to process a return URL and Pega needs to take care of its logout first and then pass control to OKTA for logout completion.
2. OKTA will ignore the Logout Location it is passed, so Save As the LogOff Rule from the Pega layer and comment out the second step, add or modify Steps: 3, 4 and 5.
3. Add new HTML Rule Web-Redirect-OKTA to redirect to IdP URL.
0% found this useful