We are using standard SAML request response to authenticate users in our application. We are allowing users to login through three identity providers - OneLogin, OKTA and Azure Active Directory. SSO is working fine for all of them. regarding SLO, it is also working fine for OneLogin and Azure AD. But In case of OKTA, We are getting RequestDenied status in SLO response.
As OKTA asks for public key certificate to unable SLO. We are new with this certificates. We are confused that what we should provide as a certificate. We tried X.509 certificate that we got from OKTA metadata but it doesnt accept that and invalidate that certificate. then we tried for a sample certificate that was created before. OKTA accepted that certificate but by using that we are getting Requestdenied error. We also tried HTTP-POST and HTTP-Redirect both as Protocol-binding but that didn't solved the issue.
It will be great if we have some information of what certificate should be uploaded to OKTA for SLO, what certificate we should pass we request, how to sign SAML request etc.
Also we are confused with 'SP Issuer' used for logout. Is it the same issuer what OKTA metadata provides?
We downloaded X.509 certificate from instruction page of okta admin site(page displayed by clicking on 'View Setup instructions' button on sign-on setting page of an okta application). and uploaded that certificate as a signature certificate for logout. Still we are getting same issue - Request denied.
Are we using the right certificate? if no, where can i find SAML SP certificate that you mentioned above?
One thing, in some comments related to this issue, i found that we need to sign LogOut request and send it to OKTA. How we can sign a request message? Can you please provide any sample for that?
It will be great if you provide any sample code for SLO.