User single sign out from app failure : Invalid Signature Skip to main content
https://support.okta.com/help/answers?id=9062a000000xameqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
oleksandr antonovoleksandr antonov 

User single sign out from app failure : Invalid Signature

Hi,
Trying to implement SLO for my application I've faced a "Invalid Signature" issue. I'm pretty sure what I'm sending is correct and SLO works perfectly fine in my application with ADFS 3.0 and with the same signing certificate. Perhaps it's some additional checks that Okta performs and ADFS does not? The LogoutRequest and the LogoutResponce are below. Any help appreciated.
<samlp:LogoutRequest Destination='https://onapp.okta.com/app/onapp_devbackup_1/exkwvhw1bwOHeVbuT2p6/slo/saml' ID='_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a' IssueInstant='2018-04-02T10:15:45Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>SP</saml:Issuer><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:SignedInfo><ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/><ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/><ds:Reference URI='#_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a'><ds:Transforms><ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/><ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces PrefixList='#default samlp saml ds xs xsi md' xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/><ds:DigestValue>OvII2+buF2f9YniNPjjE5MkUq4M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Cl9/FyQAZgiN/ttEqUBU1ZaohKXMEXXZbA3AwIEIvQgjy85cfBS2Dk7PALShhuz4d5YHetjaS6fBchyoOINrp5DnWsOHDBw/DUa+hG9uYlhaXfg+WfUvzk6mKiwl8uJwUCf66I3axDNWvlaz3p5m1L14Baog6WWAjnW3ecTSIgI=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDsjCCAxugAwIBAgIJAIigbMhjJQ8pMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYDVQQGEwJVQTETMBEGA1UECBMKU29tZS1TdGF0ZTENMAsGA1UEBxMETHZpdjEOMAwGA1UEChMFT25BcHAxDDAKBgNVBAsTA0ludjEbMBkGA1UEAxMSYWRmcy5vbmFwcGRldi5sdml2MSowKAYJKoZIhvcNAQkBFhtvbGVrc2FuZHIuYW50b25vdkBvbmFwcC5jb20wHhcNMTcwNjAyMTI0NjQ0WhcNMTgwNjAyMTI0NjQ0WjCBmDELMAkGA1UEBhMCVUExEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEx2aXYxDjAMBgNVBAoTBU9uQXBwMQwwCgYDVQQLEwNJbnYxGzAZBgNVBAMTEmFkZnMub25hcHBkZXYubHZpdjEqMCgGCSqGSIb3DQEJARYbb2xla3NhbmRyLmFudG9ub3ZAb25hcHAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNX55e6wIZee7/kQRZhNeewBTikTa3+yEVpdhvYirEwxXjNCqIpEauydIbSQuj38xZ/Oys66KDnwE3G3TAPHL+EZ73brE0WbU897A/TwZD+VG/uXZs9d9MRY8GufqBzlTE3Ngwn7xoNnNExxmos9145Nu5LT7tFBrwdWRqYRvp1QIDAQABo4IBADCB/TAdBgNVHQ4EFgQUIiHhA4+QhPWIvulKwXmScoxSdIkwgc0GA1UdIwSBxTCBwoAUIiHhA4+QhPWIvulKwXmScoxSdImhgZ6kgZswgZgxCzAJBgNVBAYTAlVBMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRMdml2MQ4wDAYDVQQKEwVPbkFwcDEMMAoGA1UECxMDSW52MRswGQYDVQQDExJhZGZzLm9uYXBwZGV2Lmx2aXYxKjAoBgkqhkiG9w0BCQEWG29sZWtzYW5kci5hbnRvbm92QG9uYXBwLmNvbYIJAIigbMhjJQ8pMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAqmkn5GbG71YfQW1Q3DyknisRWRsSxpjINmmx/PGyLaOwZ1OR/uI1HkkPA+tvoiOeUEny/rlr34GIS0Xqvf7z6wAntZEGo94wgSg2GiHzv0AmwJnnZtVm1s9ToFVn4h7zlppkc8/MscS0/b178OX3/A0quJDCh1EkMSpp+ng1LPc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>test@onapp.com</saml:NameID></samlp:LogoutRequest>
 
<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://SP/users/auth/saml/idp_sign_out?provider_id=4" ID="id22210047872495051985806756" InResponseTo="_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a" IssueInstant="2018-04-02T10:15:46.340Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exkwvhw1bwOHeVbuT2p6</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id22210047872495051985806756"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hswOigzAjCAgfAznKmfBTGjrYdI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NvfEl+oK6Wx1f6Tunmt6jJPNok9G3IYOzhy6Dj9axRnsEI2c8dp5vET8BUnuUggQU2ySeP2MvkkZqBTrS9QbMHbMwlI6Wh0ZtCLFlVfHMQQvl/9qRJGY65LLu5CAWHiCSmunukR0qdhQfQptZcyCO//7DGPLwAyxN3mG+12apNYOUlicnJLVuIqCPDsdB0Rp39nmEyaJJau9saOSbgeo6MP+MUDK9kkgBVG+1QEljg3tRdOwP5sPduDXnD0J4Pev7/pZkBc6UYckgO2jAAj1cl4uGsp0B0dMUsiI/K2nl2qSa1WVTvmiLK6Dd2LP2nV7xbyVuQAJRDYW+MkNQ4UqMQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDmjCCAoKgAwIBAgIGAWH6+Pw5MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBW9uYXBwMRwwGgYJKoZIhvcNAQkBFg1pbmZv
QG9rdGEuY29tMB4XDTE4MDMwNjExMDAxNloXDTI4MDMwNjExMDExNlowgY0xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFb25hcHAxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDggGCxLVxkAuzT
mKQP47VrXNa4NJ1bqB8QkIr9BcTB3g3Vt/+YK4Uy64LYRVV+2w5m0Z8RMbNcALznCOwCYgfNlSMs
nzL3xY+i9+KMdH/V8igzysvWkL5hbb+a0p0tKUOzU4KZ5NIXWbjnTIqdhMdALiKzDW3THBXbU7oc
Bf5pHwGyzsY4r8mVWhcYWTMaaObU7GAu3G6XaHo6Qg5rT/FKuQXATnRao9DFT0BRBEi7W27ehVl7
3cGediJmRaqDjTgkPqzyHkPnPP8J3g2E39CJn8+8Yqa4WaYwkTIY5UUmlKkbdHWV6hOYnnN0Egx7
z85Hs9hnHG1V+EsV1m2/RdzvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANYViLTpy0tUW+YCaie+
ZJDUfBTfA2tnNRRNf2EyVXObFXXEa/iop918DLLESal61lc+Aum72FZDkaptGFaDDg48hs4aq7P4
4CnDiussNPghiIJhRgvIjCqcQgKbcXbkbk/pF+Q935eiX7c2zoNyV87xSw16vipHB6swyG8qZKp2
XHZvurV9Q68VPSTBjPfaDs9pjTXggwqG2QgvWoU1PUHgB0ODbWRPFsdsD7oVA1wI3brXiPL8mOkc
xLw+Ap45/uQTLX+suTYTRPNu1b9FFltu9nrqhBbM3e82pK0D+ji0oYlhiM0eMsbfPwEFP7A9dbNI
Va0aB8QoGjqjzenAhaU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>

 
Alexandru PredaAlexandru Preda (Okta, Inc.)
Hello Oleksandr

At the first sight, it does not seem to be an issue with your configuration. 

I would however like to encourage you to open a ticket with our Customer Support team so that we can a a closer look at the configuration and  better understand your environment in order to best provide assistance on this issue. 

Thank you,

Alexandru Preda
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello Oleksandr,

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team