MiteshJ.22605 (Customer) asked a question.
Getting RequestDenied status in SLO response
Hi, We are using standard SAML request response to authenticate users in our application. We are allowing users to login through three identity providers - OneLogin, OKTA and Azure Active Directory. SSO is working fine for all of them. regarding SLO, it is also working fine for OneLogin and Azure AD. But In case of OKTA, We are getting RequestDenied status in SLO response. As OKTA asks for public key certificate to unable SLO. We are new with this certificates. We are confused that what we should provide as a certificate. We tried X.509 certificate that we got from OKTA metadata but it doesnt accept that and invalidate that certificate. then we tried for a sample certificate that was created before. OKTA accepted that certificate but by using that we are getting Requestdenied error. We also tried HTTP-POST and HTTP-Redirect both as Protocol-binding but that didn't solved the issue. It will be great if we have some information of what certificate should be uploaded to OKTA for SLO, what certificate we should pass we request, how to sign SAML request etc. Also we are confused with 'SP Issuer' used for logout. Is it the same issuer what OKTA metadata provides? Thanks,Mitesh J.
Are we using the right certificate? if no, where can i find SAML SP certificate that you mentioned above? One thing, in some comments related to this issue, i found that we need to sign LogOut request and send it to OKTA. How we can sign a request message? Can you please provide any sample for that? It will be great if you provide any sample code for SLO. Thanks,Mitesh
Hi Team,
Is there any update on this query? Because we are also facing the same issue as others here... We have our own ADFS (public access endpoint) as SP and we have uploaded the cer file for our IDP in OKTA Logout URL. However it still gives the same 403 Access denied page.
When I have changed that to use the global OKTA Sign-out URL. It signout.