I am trying to get SAML Global Logout to work in Spring sample application with Okta. After setting the parameters in the advanced settings as specified in the link https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#SAMLConfigureSAML, I am getting an error regarding destination endpoint: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
The error is because in SAML Logout response from Okta destination is of SP’s SSO endpoint but the message is posted to SP’s single logout endpoint: <saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/OktaSLOSample/saml/SSO" ID="id21496932117164504147781404"...
Below are the values used in SAML settings: Single sign on URL/ Recipient URL/ Destination URL: http://localhost:8080/OktaSLOSample/saml/SSO Audience URI (SP Entity ID): http://localhost:8080/OktaSLOSample/saml/metadata Enable Single Logout: True Single Logout URL: http://localhost:8080/OktaSLOSample/saml/SingleLogout SP Issuer: http://localhost:8080/OktaSLOSample/saml/metadata Signature Certificate: Have uploaded the certificate of alias apollo extracted from samlKeystore.jks
Noticed that destination of SAML LogoutResponse always has the value from “Destination URL” SAML setting. This doesn’t work since SP would have different SSO and SingleLogout endpoints. If I change the destination URL in Okta app to http://localhost:8080/OktaSLOSample/saml/SingleLogout, single logout would work but not login. Can you please help me with this issue?
Engineering team has confirmed that this is indeed a bug for a case I had opened on the same topic. The identifier for this issue is OKTA-69971. Once this issue is resolved, the identifier should be listed in the Okta release notes.
Just wanted to let you know that the release version for this fix (OKTA-69971) is 2015.44, which is due to go live tomorrow evening for oktapreview.com orgs, and will flow into production next week.
Please let us know if you have any additional questions. If not, we'll close this case out tomorrow afternoon, which you may also re-open at any time if it's determined the issue is not resolved. Thanks for your patience in allowing us to resolve this issue for you. Thank You,