Does OKTA Validate Signature on SAML Authentication Requests Skip to main content
https://support.okta.com/help/answers?id=906f0000000i06ziac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Martin HoldenMartin Holden 

Does OKTA Validate Signature on SAML Authentication Requests

We are a Service Porvider and have customer using OKTA as their IdP.

We typically SIGN our SAML authentication requests, and our changing our certificate in next few months. For other IdPs like ADFS, the customer can add our new cert as a secondary cert and so the "switch" is seamless.

I cant seme to find:
1. Where in OKTA I would upload the SP signing certificate?
2. If it is an option to DISABLE checking the signing of the request (or if OKTA does check even?)

Thanks
Karl McGuinnessKarl McGuinness (Okta, Inc.)
Okta currently doesn't validate AuthnRequest signatures.  We require the ACS URL to be whitelisted in Okta and don't trust the ACS URL in the request.

We do require LogoutRequest signatures for SP-initiated Single Logout.  This is supported for App Wizard created SAML applications and you can upload the new certificate in the SAML settings for the app if you are using this feature
Martin HoldenMartin Holden
I assume the "Whitelist" is automatic based on the ACS urls the customer has created and activated, and doesn't require any additional steps?