SAML LogoutResponse status returns Access Denied. Skip to main content
https://support.okta.com/help/answers?id=906f0000000i07yias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Shekhar DokaniaShekhar Dokania 

SAML LogoutResponse status returns Access Denied.

I am trying to implement SAML SLO and have hit a road block, I am getting a Request Denied status in response for SLO and I can't see any logs in System logs for it while my SSO is working fine.

I am attaching the request response and metadata along, can anyone help please? 

REQUEST
<samlp:LogoutRequest Destination="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml" ID="_5736c980-dfa9-0133-ce04-15fc9f26f9ed" IssueInstant="2016-04-08T11:17:01Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>https://staging.getsatisfaction.com/ria/saml/metadata</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">shekhar.dokania+saml@sprinklr.com</saml:NameID>
</samlp:LogoutRequest>

RESPONSE
<saml2p:LogoutResponse Destination="https://staging.getsatisfaction.com/ria/saml/logout" ID="id30646259865900361556371309" InResponseTo="_5736c980-dfa9-0133-ce04-15fc9f26f9ed" IssueInstant="2016-04-08T11:17:03.117Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk5jtmxnr9gO9Y6K0h7</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#id30646259865900361556371309">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>YF3D93wwylA4uOYeKujFleiHYQkZ5DAHXNzLJiK+G9Y=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>E01BdC7DsKBDF86pAodA6GywVlBN1QxtsaJlknk+uDI6glc/Lgu2wRfKwMYypO2tXSU6kea4enVvQs62NuNT5APF3g9YYpheuqLOxhHwSwu7a6Dwiv3OR8oSO2UCmIYiWtT0EoBVDbsk3Ux/p05ytUxly19PuA1pUB6he7Vwys0h4DfjJXt3L2crhKCCT3nJKQbT92dkRmtpGUSaAz8T3TNAe2YFY8HP6ebe6spYvL+L+Ym/rrY8Ki4e7fv+pzEur/mx9VIloN4b2YgwZ8NRMCTgxjnVtrlanvlEpfjOToaTYKO4JMmFzucydykkW6BkKdi4oPrqtHq3Jd7RwZyGiQ==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate> (replaced IDP cert)</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
    </saml2p:Status>
</saml2p:LogoutResponse>

METADATA
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="http://www.okta.com/exk5jtmxnr9gO9Y6K0h7" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>(Replaced Certs)</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/sso/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/sso/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>
 
Karl McGuinnessKarl McGuinness (Okta, Inc.)
Are you using HTTP-POST or HTTP-Redirect binding? I don't see a signature on the request.  The LogoutRequest message must be siged for SLO
Shekhar DokaniaShekhar Dokania
Hi Karl, I am using HTTP-Redirect binding. About the signature on the request, I didn't know about this. can you please point me to a support doc related to it.
Thanks,
Raphael LondnerRaphael Londner (Okta, Inc.)
Shekhar, we don't have a support doc related to it at this stage, but I would also like to add that you need to use HTTP-POST to send your LogoutRequest and sign it. You can upload the public key certificate we can use to verify your signature in the Signature Certificate field (see the "Advanced Settings" section of https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#Config_SAMLSettings)
Shekhar DokaniaShekhar Dokania
Raphael the ruby library for saml https://github.com/onelogin/ruby-saml doesnot support post binding yet. Is HTTP-Post binding a hard requirement for Okta? I tried signing and request and response with HTTP-Redirect binding but still no luck. 
Shekhar DokaniaShekhar Dokania
I have been trying to find a HTTP Post implementaion of SLO but couldn't find any solid documentaion or reference for it. Can you give me the request format for this or an implemetation in any other language, so that I can port it for Ruby.
Ankur SinhaAnkur Sinha
Hey Shekhar,

Were you able to resolve this issue? If so, please help us as we are also having same issue.

Please let us know.

Regards,
Akshat
Roman LoykoRoman Loyko
Also faced the same issue. Did anyone resolve it?

Regards,
Roman
Charles GebhardCharles Gebhard
Hi Raphael,
I'm not sure why you state that HTTP-POST is required.  Okta's own IdP metadate state:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://..../slo/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.../slo/saml"/>


Doesn't this mean that Okta supports both HTTP-POST and HTTP-Redirect at the same location?
Thanks,

Charles

Binh LeBinh Le
The problem is about your SAML logout request which missing a signature for authenticating. Please try to config your service provider again in order to attach a certificate when sending SAML logout request. I have the same issue but finally I can get it work around.
Jason RossiterJason Rossiter
Has anyone resolved this issue?

We've tried POSTing a SAMLRequest with the following payload (unpacked for readability, data removed).
We just receive an Okta login screen but the current browser session is unaffected. The same thing happens regardless of if NameID and / or SessionIndex are provided.

When performing an SP-initiated SLO with Onelogin they will log out the SPs and also log out of the IDP session.

What is the expected SLO behaviour with Okta? 
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9034329c-64f8-72da-d2ef-8ecf7aa20b1f"
                     Version="2.0" IssueInstant="2018-02-28T09:53:04Z"
                     Destination=".../slo/saml">
    <saml:Issuer>http://localhost/saml-metadata</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#pfx9034329c-64f8-72da-d2ef-8ecf7aa20b1f">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>digest-value</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            something
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    something
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
        xyz@abc.com
    </saml:NameID>
    <samlp:SessionIndex>abc123</samlp:SessionIndex>
</samlp:LogoutRequest>

 
Guru SrikarGuru Srikar
I was struggling to get the SLO working with okta for quite some time and finally managed to resolve it. Note that I do not use any SAML library for our implementation and pretty much do all the request building and signing by myself.

When I built and sent a SP initiated SLO with HTTP-Redirect binding, our application received a LogoutResponse with AuthnFailed status. After a lot of trial and error attempts, here are the steps that I carefully followed to make it work.
  1. All SLO requests must be signed by the initiator. The process of signing the logout request is different for HTTP-Redirect binding and HTTP-Post binding. I used redirect binding and the process of signing is described in detail in section 3.4.4.1 SAML bindings specification (http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf). In short, http-redirect binding needs the query parameters to be signed but not the xml request.
  2. In redirect binding, the XML signature should not be part of the xml. In post binding, it should be part of xml.
  3. Encoding the query parameters should be done before generating the signature rather than after. For example, signature generation steps are as below:
1. queryStr = "SAMLRequest="+ UrlEncodeStr(logoutReqXML)+"&SigAlg="+UrlEncodeStr("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
2. signatureStr = signQueryStr(queryStr);
3. b64Signature = encodeBase64(signatureStr);
4. finalReqURL = idpSLOUrl + "?" + queryStr + "&Signature=" + UrlEncodeStr(b64Signature);

I wasn't doing the Url encoding properly and was scratching my head all along until I finally started reading the specificatin in detail. All these steps are mentioned in the bindings specification (linked above).