Missing SingleLogoutService entry in IdP metadata Skip to main content
https://support.okta.com/help/answers?id=9062a000000bbq3qac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Hans Jakob ThierschHans Jakob Thiersch 

Missing SingleLogoutService entry in IdP metadata

Dear Madams and Sirs,

We are building the cloud app Meisterplan.com and are currently implementing SAML/SSO and testing this functionality with different Identity Providers.

We found out that when exporting the IDP metadata (as described in https://support.okta.com/help/Documentation/Knowledge_Article/More_Apps/How-do-we-download-the-IDP-XML-metadata-file-from-a-SAML-Template-App) the "SingleLogoutService"-entry is missing in the Metadata, 
although this endpoint is existing and working (https://itdesign.okta.com/login/signout).

As we would love to support dynamic SAML configuration for Meisterplan with Okta my question is, whether it is possible to include the SingleLogoutService-entry in the IDP metadata file (most other IdPs like OneLogin and Ping provide this information).

Thank you very much for your time and regards,
Hans Jakob Thiersch
(Product Owner Meisterplan core Product)
 
Best Answer chosen by Dylann Fezeu (Customer First Programs)
Darron HellmannDarron Hellmann (Okta)
Hi Hans

Absolutely, I assume you're referring to Okta's SAML 2.0 application template. During or after the creation of your application you can enable SLO (General -> SAML Settings -> Show Advanced Settings). By doing so and providing the service providers single log out URL, SP Issuer information and certificate , you can then generate metadata containing information on where the logout response will be sent. Please note, you can supply place holder values for these fields temporarily to generate metadata.

Example with SLO Disabled in Okta (General tab of application)

</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

Example with SLO Enabled in Okta (General tab of application)

</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

All Answers

Darron HellmannDarron Hellmann (Okta)
Hi Hans

Absolutely, I assume you're referring to Okta's SAML 2.0 application template. During or after the creation of your application you can enable SLO (General -> SAML Settings -> Show Advanced Settings). By doing so and providing the service providers single log out URL, SP Issuer information and certificate , you can then generate metadata containing information on where the logout response will be sent. Please note, you can supply place holder values for these fields temporarily to generate metadata.

Example with SLO Disabled in Okta (General tab of application)

</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

Example with SLO Enabled in Okta (General tab of application)

</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
This was selected as the best answer
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello,

Thanks for posting your inquiry in Okta Community Portal.

​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

​Dylann Fezeu
Okta Help Center Team