We're trying to integrate our service with Okta SAML SSO so we signed up for a developer account. The single sign-on part works but we are unable to sign out (SP initiated). We land on a 403 - Access forbidden page. We found in the Okta System Log the error message that says
Unable to process SAML Logout Request - The request is malformed and could not be parsed.
No more details about the nature of the error are in the log so we are wondering what exactly we do wrong. In the Advanced SAML Settings section of the SAML Configuration page we enabled SLO (The Allow application to initiate Single Logout checkbox is checked) which requires us to upload our X.509 certificate so that Okta can verify that the SLO request comes from our service. We uploaded our (self-signed) certificate and also configured our Single Logout URL as well as the SP Issuer ID.
The SAML logout request seems to contain everything that's needed to sign out, including the NameID and SessionIndex from the single sign-on response. Here's an example logout request XML before it's deflated and base-64-encoded into the redirect URL:
Since the XML document appears to be valid we think that there's something wrong with the signature. We've tried the embedded signature, using the RSA-SHA1 as well as RSA-SHA256 algorithms. Instead of embedding the signature in the XML document we've also tried signing the logout request URL itself.
Nothing worked so far. Is the logout request XML invalid? Is something wrong with our private key / X.509 certificate? Are the signing algorithms unsupported? Did we misconfigure something? Is there a way to get more details about the error other than malformed XML? Any help is appreciated.
Hello, I have the same problem and the issue is about your SAML logout request which missing a signature for authenticating. Please try to config at your service provider in order to attach certificate when sending SAML logout request.