Unable to SAML2 log out from Okta

I’m trying to enable logout on my Okta application. The authentication protocol is SAML2 and the app uses Java Spring and runs on http://localhost:8080.

The current behavior is the following : when accessing http://localhost:8080/api/logout (the logout address), the connected user is very briefly redirected to an Okta loading page then back to where it started (the app dashboard), which means the disconnection didn’t happen. From what I understand, it suggests that logout works on the Spring side, just not on the Okta side. Please correct me if I’m wrong.

I’ve looked up several Okta help pages among which Sign users out | Okta Developer and asked for AI agents but unfortunately I can’t get to get it work.

Here is the Spring Security configuration file:

package com.cohortis.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Profile; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations; import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @Configuration @EnableWebSecurity @EnableMethodSecurity public class SecurityConfig { @Bean @Profile("prod") public InMemoryRelyingPartyRegistrationRepository prodRelyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .fromMetadataLocation("classpath:metadata/metadata-idp.xml") .registrationId("okta") .entityId("{baseUrl}/saml2/service-provider-metadata/{registrationId}") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } @Bean @Profile({"dev", "test"}) public InMemoryRelyingPartyRegistrationRepository devRelyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .fromMetadataLocation("classpath:metadata/metadata-idp-dev.xml") .registrationId("okta") .entityId("{baseUrl}/saml2/service-provider-metadata/{registrationId}") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(authorize -> authorize .requestMatchers("/saml2/**", "/error", "/api/userIsConnected").permitAll() .anyRequest().authenticated()) .saml2Login(login -> login .loginPage("/saml2/authenticate?registrationId=okta") .defaultSuccessUrl("/api/loginSuccessful", true)) .saml2Logout(withDefaults()) .logout(logout -> logout .logoutUrl("/api/logout") .logoutSuccessUrl("/") .invalidateHttpSession(true) .deleteCookies("JSESSIONID")); return http.build(); } }

And here’s my Okta app configuration for logging out (on the Okta website):

Still on the Okta website, I've uploaded my public key (which lays in the resource folder of the Spring app, along with the private key).

If you have any idea of how to fix this, please let me know. And sorry for being a noob…

Thank you so much for your help 🙏