<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jZLSAZOkta Classic EngineOkta Integration NetworkAnswered2020-06-29T10:10:23.000Z2016-04-06T08:36:42.000Z2020-06-29T10:10:23.000Z

MartinH.63611 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Does OKTA Validate Signature on SAML Authentication Requests
We are a Service Porvider and have customer using OKTA as their IdP.

 

We typically SIGN our SAML authentication requests, and our changing our certificate in next few months. For other IdPs like ADFS, the customer can add our new cert as a secondary cert and so the "switch" is seamless.

 

I cant seme to find:

1. Where in OKTA I would upload the SP signing certificate?

2. If it is an option to DISABLE checking the signing of the request (or if OKTA does check even?)

 

Thanks
  • 3 answers
  • 8.64K views

  • kmcguinness (Okta, Inc.)

    Okta currently doesn't validate AuthnRequest signatures.  We require the ACS URL to be whitelisted in Okta and don't trust the ACS URL in the request.

     

    We do require LogoutRequest signatures for SP-initiated Single Logout.  This is supported for App Wizard created SAML applications and you can upload the new certificate in the SAML settings for the app if you are using this feature
    Expand Post

    • TroyM.47163 (Customer)

      This implies forceAuthn is not enforceable since the client may remove it from the SAMLRequest at will, allowing an attacker to gain access to more restricted services from an unattended session.

  • MartinH.63611 (Customer)

    I assume the "Whitelist" is automatic based on the ACS urls the customer has created and activated, and doesn't require any additional steps?
This question is closed.
Loading
Does OKTA Validate Signature on SAML Authentication Requests