<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UdsSAFOkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2018-03-14T10:26:52.000Z2018-08-12T04:14:39.000Z

o1ppe (o1ppe) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Missing SingleLogoutService entry in IdP metadata
Dear Madams and Sirs,

 

We are building the cloud app Meisterplan.com and are currently implementing SAML/SSO and testing this functionality with different Identity Providers.

 

We found out that when exporting the IDP metadata (as described in https://support.okta.com/help/Documentation/Knowledge_Article/More_Apps/How-do-we-download-the-IDP-XML-metadata-file-from-a-SAML-Template-App) the "SingleLogoutService"-entry is missing in the Metadata, 

although this endpoint is existing and working (https://itdesign.okta.com/login/signout).

 

As we would love to support dynamic SAML configuration for Meisterplan with Okta my question is, whether it is possible to include the SingleLogoutService-entry in the IDP metadata file (most other IdPs like OneLogin and Ping provide this information).

 

Thank you very much for your time and regards,

Hans Jakob Thiersch

(Product Owner Meisterplan core Product)

  • 2 answers
  • 3.13K views
j5v7c likes this.

  • darron.hellmann1.4014679292281282E12 (Okta, Inc.)

    Hi Hans

     

    Absolutely, I assume you're referring to Okta's SAML 2.0 application template. During or after the creation of your application you can enable SLO (General -> SAML Settings -> Show Advanced Settings). By doing so and providing the service providers single log out URL, SP Issuer information and certificate , you can then generate metadata containing information on where the logout response will be sent. Please note, you can supply place holder values for these fields temporarily to generate metadata.

     

    Example with SLO Disabled in Okta (General tab of application)

     

    </ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

     

    Example with SLO Enabled in Okta (General tab of application)

     

    </ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
    Expand Post
    Selected as Best

  • darron.hellmann1.4014679292281282E12 (Okta, Inc.)

    Hi Hans

     

    Absolutely, I assume you're referring to Okta's SAML 2.0 application template. During or after the creation of your application you can enable SLO (General -> SAML Settings -> Show Advanced Settings). By doing so and providing the service providers single log out URL, SP Issuer information and certificate , you can then generate metadata containing information on where the logout response will be sent. Please note, you can supply place holder values for these fields temporarily to generate metadata.

     

    Example with SLO Disabled in Okta (General tab of application)

     

    </ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

     

    Example with SLO Enabled in Okta (General tab of application)

     

    </ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/slo/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.okta.com/app/slotest_1/exkj9kdjbuN0INC860x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
    Expand Post
    Selected as Best

  • j5v7c (j5v7c)

    Hello,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    ​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    ​Dylann Fezeu

    Okta Help Center Team
    Expand Post
This question is closed.
Loading
Missing SingleLogoutService entry in IdP metadata