How to Configure SAML Single Logout in WS1 for Okta

If you have configured Okta as a 3rd Party IDP in Workspace ONE you might have noticed that the “Logout” function in Workspace ONE doesn’t log you out of your Okta session. The reason for this is that Okta does not include the “SingleLogoutService” by default in the metadata that is used when creating the 3rd Party IDP in Workspace ONE.

There are a couple extra steps that you need to do to enable this functionality. Before you begin, please make sure you download your signing certificate from Workspace ONE.

  1. Log into Workspace ONE
  2. Click on Catalog -> Settings (Note: Don’t click the down arrow and settings)
  3. Click on SAML Metadata
  4. Scroll down to the Signing Certificate and Click Download

Now you will need to log into your Okta Administration Console.

Using the Workspace ONE Official Application

  1. Under Application, Click on the Workspace ONE Application
  2. Click on the Sign-On Tab
  3. Click Edit
  1. Click “Enable Single-Logout”
  2. Under “Signature Certificate”, browse to the location you downloaded the Workspace ONE certificate in the previous steps.
  3. Click Save
  4. Download the new metadata that contains the logout URL.

Using a custom SAML Application

  1. Under Applications -> Click on the Workspace ONE application that you previously created
  2. Click on the General Tab
  3. Under SAML Settings -> Click Edit
  4. Click Next
  5. Click on “Show Advanced Settings”
  6. Enable the Checkbox that says “Enable Single Logout”
  7. Under “Single Logout URL”, enter:  “https://%5BWS1Tenant%5D/SAAS/auth/saml/slo/response”
  8. Under SP Issuer, copy the value you have configured for Audience URI (SP Entity ID). This value should be: “https://%5BWS1Tenant%5D/SAAS/API/1.0/GET/metadata/sp.xml”
  9. Under “Signature Certificate”, browse to the location you downloaded the Workspace ONE certificate in the previous steps.
  10. Click Upload Certificate
  11. Click Next
  12. Click Finish
  13. Click on the “Sign On” tab
  14. Click on Identity Provider Metadata
  15. You will notice that your Identity Provider Metadata now includes the SingleLogoutService:
  16. Copy this metadata.

Update Workspace ONE IdP Configuration for Okta

  1. Go to Identity & Access Management
  2. Click on Identity Providers
  3. Click on your Okta 3rd Party IDP you previously created
  4. Paste your new Okta Metadata and click “Process IdP Metadata”
  5. Scroll down to “Single Sign-out Configuration” and check “Enable”. (Note: Make sure the other two values are left blank)

Now you should be able to logout from Workspace ONE and be signed out of both solutions.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s