<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jZaSAJOkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2016-04-08T12:14:40.000Z2018-04-02T17:32:28.000Z

jd5vr (jd5vr) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
SAML LogoutResponse status returns Access Denied.
I am trying to implement SAML SLO and have hit a road block, I am getting a Request Denied status in response for SLO and I can't see any logs in System logs for it while my SSO is working fine.

 

I am attaching the request response and metadata along, can anyone help please? 

 

REQUEST

<samlp:LogoutRequest Destination="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml" ID="_5736c980-dfa9-0133-ce04-15fc9f26f9ed" IssueInstant="2016-04-08T11:17:01Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer>https://staging.getsatisfaction.com/ria/saml/metadata</saml:Issuer>

    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">shekhar.dokania+saml@sprinklr.com</saml:NameID>

</samlp:LogoutRequest>

 

RESPONSE

<saml2p:LogoutResponse Destination="https://staging.getsatisfaction.com/ria/saml/logout" ID="id30646259865900361556371309" InResponseTo="_5736c980-dfa9-0133-ce04-15fc9f26f9ed" IssueInstant="2016-04-08T11:17:03.117Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk5jtmxnr9gO9Y6K0h7</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo>

            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

            <ds:Reference URI="#id30646259865900361556371309">

                <ds:Transforms>

                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                </ds:Transforms>

                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

                <ds:DigestValue>YF3D93wwylA4uOYeKujFleiHYQkZ5DAHXNzLJiK+G9Y=</ds:DigestValue>

            </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>E01BdC7DsKBDF86pAodA6GywVlBN1QxtsaJlknk+uDI6glc/Lgu2wRfKwMYypO2tXSU6kea4enVvQs62NuNT5APF3g9YYpheuqLOxhHwSwu7a6Dwiv3OR8oSO2UCmIYiWtT0EoBVDbsk3Ux/p05ytUxly19PuA1pUB6he7Vwys0h4DfjJXt3L2crhKCCT3nJKQbT92dkRmtpGUSaAz8T3TNAe2YFY8HP6ebe6spYvL+L+Ym/rrY8Ki4e7fv+pzEur/mx9VIloN4b2YgwZ8NRMCTgxjnVtrlanvlEpfjOToaTYKO4JMmFzucydykkW6BkKdi4oPrqtHq3Jd7RwZyGiQ==</ds:SignatureValue>

        <ds:KeyInfo>

            <ds:X509Data>

                <ds:X509Certificate> (replaced IDP cert)</ds:X509Certificate>

            </ds:X509Data>

        </ds:KeyInfo>

    </ds:Signature>

    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>

    </saml2p:Status>

</saml2p:LogoutResponse>

 

METADATA

<?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor entityID="http://www.okta.com/exk5jtmxnr9gO9Y6K0h7" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

    <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <md:KeyDescriptor use="signing">

            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                <ds:X509Data>

                    <ds:X509Certificate>(Replaced Certs)</ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </md:KeyDescriptor>

        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml"/>

        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/slo/saml"/>

        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/sso/saml"/>

        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-294200.oktapreview.com/app/sprinklrdev294200_gsstagingria_1/exk5jtmxnr9gO9Y6K0h7/sso/saml"/>

    </md:IDPSSODescriptor>

</md:EntityDescriptor>

  • 11 answers
  • 4.21K views
j59fh and MathiasA.81358 like this.

  • kmcguinness (Okta, Inc.)

    Are you using HTTP-POST or HTTP-Redirect binding? I don't see a signature on the request.  The LogoutRequest message must be siged for SLO

  • jd5vr (jd5vr)

    Hi Karl, I am using HTTP-Redirect binding. About the signature on the request, I didn't know about this. can you please point me to a support doc related to it.

    Thanks,

  • j5v7c (j5v7c)

    Shekhar, we don't have a support doc related to it at this stage, but I would also like to add that you need to use HTTP-POST to send your LogoutRequest and sign it. You can upload the public key certificate we can use to verify your signature in the Signature Certificate field (see the "Advanced Settings" section of https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#Config_SAMLSettings)
    Expand Post

  • jd5vr (jd5vr)

    Raphael the ruby library for saml https://github.com/onelogin/ruby-saml doesnot support post binding yet. Is HTTP-Post binding a hard requirement for Okta? I tried signing and request and response with HTTP-Redirect binding but still no luck.

  • jd5vr (jd5vr)

    I have been trying to find a HTTP Post implementaion of SLO but couldn't find any solid documentaion or reference for it. Can you give me the request format for this or an implemetation in any other language, so that I can port it for Ruby.

  • kgaqr (kgaqr)

    Hey Shekhar,

     

    Were you able to resolve this issue? If so, please help us as we are also having same issue.

     

    Please let us know.

     

    Regards,

    Akshat
    Expand Post

  • j59fh (j59fh)

    Also faced the same issue. Did anyone resolve it?

     

    Regards,

    Roman

  • CharlesG.28457 (Customer)

    Hi Raphael,

    I'm not sure why you state that HTTP-POST is required.  Okta's own IdP metadate state: 
    1.  <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://..../slo/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.../slo/saml"/>
     

    Doesn't this mean that Okta supports both HTTP-POST and HTTP-Redirect at the same location?

    Thanks,

     

    Charles

    Expand Post

  • BinhL.86758 (Customer)

    The problem is about your SAML logout request which missing a signature for authenticating. Please try to config your service provider again in order to attach a certificate when sending SAML logout request. I have the same issue but finally I can get it work around.

  • h0byi (h0byi)

    Has anyone resolved this issue?

     

    We've tried POSTing a SAMLRequest with the following payload (unpacked for readability, data removed).

    We just receive an Okta login screen but the current browser session is unaffected. The same thing happens regardless of if NameID and / or SessionIndex are provided.

     

    When performing an SP-initiated SLO with Onelogin they will log out the SPs and also log out of the IDP session.

     

    What is the expected SLO behaviour with Okta?  
    1.  <?xml version="1.0"?> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9034329c-64f8-72da-d2ef-8ecf7aa20b1f"  Version="2.0" IssueInstant="2018-02-28T09:53:04Z"  Destination=".../slo/saml">  <saml:Issuer>http://localhost/saml-metadata</saml:Issuer>  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  <ds:SignedInfo>  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>  <ds:Reference URI="#pfx9034329c-64f8-72da-d2ef-8ecf7aa20b1f">  <ds:Transforms>  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  </ds:Transforms>  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>  <ds:DigestValue>digest-value</ds:DigestValue>  </ds:Reference>  </ds:SignedInfo>  <ds:SignatureValue>  something  </ds:SignatureValue>  <ds:KeyInfo>  <ds:X509Data>  <ds:X509Certificate>  something  </ds:X509Certificate>  </ds:X509Data>  </ds:KeyInfo>  </ds:Signature>  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">  xyz@abc.com  </saml:NameID>  <samlp:SessionIndex>abc123</samlp:SessionIndex> </samlp:LogoutRequest>
     

    Expand Post
10 of 11
This question is closed.
Loading
SAML LogoutResponse status returns Access Denied.