SAML Single Logout - 403 Forbidden Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzrqias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Szabolcs AndrasiSzabolcs Andrasi 

SAML Single Logout - 403 Forbidden

Hi,

We're trying to integrate our service with Okta SAML SSO so we signed up for a developer account. The single sign-on part works but we are unable to sign out (SP initiated). We land on a 403 - Access forbidden page. We found in the Okta System Log the error message that says

Unable to process SAML Logout Request - The request is malformed and could not be parsed.

No more details about the nature of the error are in the log so we are wondering what exactly we do wrong. In the Advanced SAML Settings section of the SAML Configuration page we enabled SLO (The Allow application to initiate Single Logout checkbox is checked) which requires us to upload our X.509 certificate so that Okta can verify that the SLO request comes from our service. We uploaded our (self-signed) certificate and also configured our Single Logout URL as well as the SP Issuer ID.

The SAML logout request seems to contain everything that's needed to sign out, including the NameID and SessionIndex from the single sign-on response. Here's an example logout request XML before it's deflated and base-64-encoded into the redirect URL:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="Our Okta SLO URL comes here" ID="_5e7a0610-9c70-0133-0b8e-48e0eb16d71f" IssueInstant="2016-01-13T22:10:24Z" Version="2.0">
    <saml:Issuer>Our Issuer ID appears here</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@email.com</saml:NameID>
    <samlp:SessionIndex>_eb4495a0-9c61-0133-0b84-48e0eb16d71f</samlp:SessionIndex>
</samlp:LogoutRequest>

Since the XML document appears to be valid we think that there's something wrong with the signature. We've tried the embedded signature, using the RSA-SHA1 as well as RSA-SHA256 algorithms. Instead of embedding the signature in the XML document we've also tried signing the logout request URL itself.

Nothing worked so far. Is the logout request XML invalid? Is something wrong with our private key / X.509 certificate? Are the signing algorithms unsupported? Did we misconfigure something? Is there a way to get more details about the error other than malformed XML? Any help is appreciated.

We are using the ruby-saml (https://github.com/onelogin/ruby-saml) gem by OneLogin, by the way.
Jim KnutsonJim Knutson (Okta, Inc.)
Hello Szabolcs,
You may need to contact support to confirm the GA featue flag to support SP single logout is enabled for your developer org, or check any other org spicific varables are correct. 
Binh LeBinh Le
Hello, I have the same problem and the issue is about your SAML logout request which missing a signature for authenticating. Please try to config at your service provider in order to attach certificate when sending SAML logout request.