<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jq7SABOkta Classic EngineOkta Integration NetworkAnswered2018-09-05T01:30:02.000Z2016-01-13T22:57:54.000Z2017-07-18T16:23:41.000Z

SzabolcsA.73876 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
SAML Single Logout - 403 Forbidden
Hi,

 

We're trying to integrate our service with Okta SAML SSO so we signed up for a developer account. The single sign-on part works but we are unable to sign out (SP initiated). We land on a 403 - Access forbidden page. We found in the Okta System Log the error message that says

 

Unable to process SAML Logout Request - The request is malformed and could not be parsed.

 

No more details about the nature of the error are in the log so we are wondering what exactly we do wrong. In the Advanced SAML Settings section of the SAML Configuration page we enabled SLO (The Allow application to initiate Single Logout checkbox is checked) which requires us to upload our X.509 certificate so that Okta can verify that the SLO request comes from our service. We uploaded our (self-signed) certificate and also configured our Single Logout URL as well as the SP Issuer ID.

 

The SAML logout request seems to contain everything that's needed to sign out, including the NameID and SessionIndex from the single sign-on response. Here's an example logout request XML before it's deflated and base-64-encoded into the redirect URL:

 

<?xml version="1.0" encoding="UTF-8"?>

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="Our Okta SLO URL comes here" ID="_5e7a0610-9c70-0133-0b8e-48e0eb16d71f" IssueInstant="2016-01-13T22:10:24Z" Version="2.0">

    <saml:Issuer>Our Issuer ID appears here</saml:Issuer>

    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@email.com</saml:NameID>

    <samlp:SessionIndex>_eb4495a0-9c61-0133-0b84-48e0eb16d71f</samlp:SessionIndex>

</samlp:LogoutRequest>

 

Since the XML document appears to be valid we think that there's something wrong with the signature. We've tried the embedded signature, using the RSA-SHA1 as well as RSA-SHA256 algorithms. Instead of embedding the signature in the XML document we've also tried signing the logout request URL itself.

 

Nothing worked so far. Is the logout request XML invalid? Is something wrong with our private key / X.509 certificate? Are the signing algorithms unsupported? Did we misconfigure something? Is there a way to get more details about the error other than malformed XML? Any help is appreciated.

 

We are using the ruby-saml (https://github.com/onelogin/ruby-saml) gem by OneLogin, by the way.
  • 2 answers
  • 5.25K views

  • Jim Knutson - Okta (Okta, Inc.)

    Hello Szabolcs,

    You may need to contact support to confirm the GA featue flag to support SP single logout is enabled for your developer org, or check any other org spicific varables are correct.

  • BinhL.86758 (Customer)

    Hello, I have the same problem and the issue is about your SAML logout request which missing a signature for authenticating. Please try to config at your service provider in order to attach certificate when sending SAML logout request.
This question is closed.
Loading
SAML Single Logout - 403 Forbidden