Getting 403 error on logout Skip to main content
https://support.okta.com/help/answers?id=9062a000000qucfqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
MANOJ SREERAMAMANOJ SREERAMA 

Getting 403 error on logout

Hi Team, I am trying to configure SAML SLO. When logout request is sent from my SP, I am getting 403 error. below is my saml logout request
 
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://dev-999713.oktapreview.com/app/zohodev999713_samlidp_1/exkd1fnqm7P9leWe20h7/slo/saml" ID="ME_a4001cf3-9151-4d52-8217-c26703db525d" IssueInstant="2017-11-28T14:49:18Z" Version="2.0">
<saml:Issuer>https://manoj-3374:9988/mc/SamlSPMetaServlet</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#ME_a4001cf3-9151-4d52-8217-c26703db525d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Ho1zJuQ2GWuS03KpuJSpL4UJJj0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gz2mUQy+/8/rHtXJpns/HPOKOeOWpue39IENs4FSmUni6KF0kyjT8E5XobwRCrT1TqzmQuCVfGuE OCrMFu+C/IG5SPb3eXG2EEP3Krc5JqLL5sf/PVuIV6HSJWUNniO/IGCOI/5Ny1k2WF3tvC9ihhJc tAgKB9kiYW6wp2/UwyYIIdZWCUqWGQQa9L+1Z0G6SUfwaQZ92JRgWl1WBXCRJs8tGRfpJn9motzD jNn1griN7zfOR2j+VysTZJ2599Jonoa25Te5tgkS3upBK579j7XYx3q26tJctC1zRtfWd0dml11l ycvMVFA+GdLpjzCtcGnAd8LG73lL6h7L1bHz7Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDRDCCAiwCCQDZCHUD4hLI6jANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJJTjELMAkGA1UE CBMCVE4xEDAOBgNVBAcTB0NIRU5OQUkxDTALBgNVBAoTBFpPSE8xJzAlBgNVBAMTHm1hbm9qLTMz NzQuY3Nlei56b2hvY29ycGluLmNvbTAeFw0xNzExMTMwOTM1NTZaFw0xODExMTMwOTM1NTZaMGQx CzAJBgNVBAYTAklOMQswCQYDVQQIEwJUTjEQMA4GA1UEBxMHQ0hFTk5BSTENMAsGA1UEChMEWk9I TzEnMCUGA1UEAxMebWFub2otMzM3NC5jc2V6LnpvaG9jb3JwaW4uY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAut6HptaSxrLrBvsDa2R+c86jwgpcTUemoBO6QYnNkgwALWfZamTI 0V0ibMvKrYi4kSbpZ6NJDSV3iI3Etbl9fsLOST1OE5VyzFzajrw17KCofwHhx1hZjCKDuii5xE5r Q+fDuCRLr1Fr/TBHgNCK1NaecibimY+YW31oCDjCyBFpGMcv6pU6A5w/P7CNGkhpugbl+MQY/6zD A19yy+3bJbNMR1IYSraUpxT8GUfQlsM5qnY4amRSq99lFr84xrVypKhf+IzGs9VuFVU9/RhQCTt0 qeaJEv1kmrcNuvG5nO4/fAI74O66w8MdyT8MjUP4tiyDHfifFfJ+CKZkRE/tPQIDAQABMA0GCSqG SIb3DQEBBQUAA4IBAQCGTC7zABPYsxKTtjILpGPZnOTl+lEYSIByNOiwrCE/rP7Caff/horVpIW0 PbjP8LcpCy0mBGP7IynOipNkG8ynWcPUf29RQlCK5lIT9bhOTylsxceegsuW2SzVcxnyYoFLZY+G LD+qf5ONKAanJ75YPzRX1rdEvpGEeH25wdl5/cLQqLqw+LzCKfypJldDw+KWuVVX4wjZ7XaaZzhT xvvJhP/mPDtpZJL1EiIErICy9qqRiCl+Z6Eab4DwS01iJxAHmtGTuLVo0+DEr6z4ovJ0LHUDP/TK Xgw+M4IMW0rTzeaKV4hDHauYE1A89FOdMXc32QRD+yeuOh9k7i5OLoqX
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="https://manoj-3374:9988/mc/SamlSPMetaServlet">manojkumar.krishnamurthy@zohocorp.com</saml:NameID>
</samlp:LogoutRequest>
Kindly assist me on this. 
 
Jaypee ManansalaJaypee Manansala (Okta)
Hi Manoj,

Thanks for posting your inquiry in Okta Support Community Portal.

You need to make sure you enable the "Enable Single Logout" feature in Custom AIW SAML wizard and correctly input the following (assuming the SLO function is support by the SP):

SP SLO URL
SP Issuer
Public Key Certificate

But I do recommend to submit an Okta support case to further assist you on this function.

Best,

JP Manansala