Getting RequestDenied status in SLO response Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0roia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Mitesh JadavMitesh Jadav 

Getting RequestDenied status in SLO response

Hi,

We are using standard SAML request response to authenticate users in our application. We are allowing users to login through three identity providers - OneLogin, OKTA and Azure Active Directory. SSO is working fine for all of them. regarding SLO, it is also working fine for OneLogin and Azure AD. But In case of OKTA, We are getting RequestDenied status in SLO response.

As OKTA asks for public key certificate to unable SLO. We are new with this certificates. We are confused that what we should provide as a certificate. We tried X.509 certificate that we got from OKTA metadata but it doesnt accept that and invalidate that certificate. then we tried for a sample certificate that was created before. OKTA accepted that certificate but by using that we are getting Requestdenied error. We also tried HTTP-POST and HTTP-Redirect both as Protocol-binding but that didn't solved the issue.

It will be great if we have some information of what certificate should be uploaded to OKTA for SLO, what certificate we should pass we request, how to sign SAML request etc.

Also we are confused with 'SP Issuer' used for logout. Is it the same issuer what OKTA metadata provides?

Thanks,
Mitesh J.
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Mitesh
Okta is acting as a SAML IdP (Identity Provider). For SLO, it needs the certificate of the SAML SP (Service Provider), that is, the app that Okta is providing SSO for.

For example, if Okta is providing SSO to Box.com, then Okta is the IdP and Box.com is the SP.

Check out:
https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
Mitesh JadavMitesh Jadav
Hi Gabriel

Thanks for the quick reply.

We downloaded X.509 certificate from instruction page of okta admin site(page displayed by clicking on 'View Setup instructions' button on sign-on setting page of an okta application). and uploaded that certificate as a signature certificate for logout. Still we are getting same issue - Request denied.

Are we using the right certificate?
if no, where can i find SAML SP certificate that you mentioned above?

One thing, in some comments related to this issue, i found that we need to sign LogOut request and send it to OKTA. How we can sign a request message? Can you please provide any sample for that? 

It will be great if you provide any sample code for SLO.

Thanks,
Mitesh
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Mitesh,
When configuring SLO in Okta, you need to provide the SP's certificate. This should be available from the SP, check their documentation.
Which SP are you using?
Okta ServiceOkta Service
You need an SSL Cert in the PEM .pem format, like from a CA cert authority. Or the SP can give you one.