<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UraSAFOkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2018-04-02T11:43:07.000Z2018-04-13T16:46:01.000Z

0h4sf (0h4sf) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
User single sign out from app failure : Invalid Signature
Hi,

Trying to implement SLO for my application I've faced a "Invalid Signature" issue. I'm pretty sure what I'm sending is correct and SLO works perfectly fine in my application with ADFS 3.0 and with the same signing certificate. Perhaps it's some additional checks that Okta performs and ADFS does not? The LogoutRequest and the LogoutResponce are below. Any help appreciated. 
  1.  <samlp:LogoutRequest Destination='https://onapp.okta.com/app/onapp_devbackup_1/exkwvhw1bwOHeVbuT2p6/slo/saml' ID='_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a' IssueInstant='2018-04-02T10:15:45Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>SP</saml:Issuer><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:SignedInfo><ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/><ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/><ds:Reference URI='#_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a'><ds:Transforms><ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/><ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces PrefixList='#default samlp saml ds xs xsi md' xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/><ds:DigestValue>OvII2+buF2f9YniNPjjE5MkUq4M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Cl9/FyQAZgiN/ttEqUBU1ZaohKXMEXXZbA3AwIEIvQgjy85cfBS2Dk7PALShhuz4d5YHetjaS6fBchyoOINrp5DnWsOHDBw/DUa+hG9uYlhaXfg+WfUvzk6mKiwl8uJwUCf66I3axDNWvlaz3p5m1L14Baog6WWAjnW3ecTSIgI=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDsjCCAxugAwIBAgIJAIigbMhjJQ8pMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYDVQQGEwJVQTETMBEGA1UECBMKU29tZS1TdGF0ZTENMAsGA1UEBxMETHZpdjEOMAwGA1UEChMFT25BcHAxDDAKBgNVBAsTA0ludjEbMBkGA1UEAxMSYWRmcy5vbmFwcGRldi5sdml2MSowKAYJKoZIhvcNAQkBFhtvbGVrc2FuZHIuYW50b25vdkBvbmFwcC5jb20wHhcNMTcwNjAyMTI0NjQ0WhcNMTgwNjAyMTI0NjQ0WjCBmDELMAkGA1UEBhMCVUExEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEx2aXYxDjAMBgNVBAoTBU9uQXBwMQwwCgYDVQQLEwNJbnYxGzAZBgNVBAMTEmFkZnMub25hcHBkZXYubHZpdjEqMCgGCSqGSIb3DQEJARYbb2xla3NhbmRyLmFudG9ub3ZAb25hcHAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNX55e6wIZee7/kQRZhNeewBTikTa3+yEVpdhvYirEwxXjNCqIpEauydIbSQuj38xZ/Oys66KDnwE3G3TAPHL+EZ73brE0WbU897A/TwZD+VG/uXZs9d9MRY8GufqBzlTE3Ngwn7xoNnNExxmos9145Nu5LT7tFBrwdWRqYRvp1QIDAQABo4IBADCB/TAdBgNVHQ4EFgQUIiHhA4+QhPWIvulKwXmScoxSdIkwgc0GA1UdIwSBxTCBwoAUIiHhA4+QhPWIvulKwXmScoxSdImhgZ6kgZswgZgxCzAJBgNVBAYTAlVBMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRMdml2MQ4wDAYDVQQKEwVPbkFwcDEMMAoGA1UECxMDSW52MRswGQYDVQQDExJhZGZzLm9uYXBwZGV2Lmx2aXYxKjAoBgkqhkiG9w0BCQEWG29sZWtzYW5kci5hbnRvbm92QG9uYXBwLmNvbYIJAIigbMhjJQ8pMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAqmkn5GbG71YfQW1Q3DyknisRWRsSxpjINmmx/PGyLaOwZ1OR/uI1HkkPA+tvoiOeUEny/rlr34GIS0Xqvf7z6wAntZEGo94wgSg2GiHzv0AmwJnnZtVm1s9ToFVn4h7zlppkc8/MscS0/b178OX3/A0quJDCh1EkMSpp+ng1LPc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>test@onapp.com</saml:NameID></samlp:LogoutRequest>
 
  1.  <saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://SP/users/auth/saml/idp_sign_out?provider_id=4" ID="id22210047872495051985806756" InResponseTo="_939eac9c-d0c7-49ea-a48c-c7f4173d0c5a" IssueInstant="2018-04-02T10:15:46.340Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exkwvhw1bwOHeVbuT2p6</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id22210047872495051985806756"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hswOigzAjCAgfAznKmfBTGjrYdI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NvfEl+oK6Wx1f6Tunmt6jJPNok9G3IYOzhy6Dj9axRnsEI2c8dp5vET8BUnuUggQU2ySeP2MvkkZqBTrS9QbMHbMwlI6Wh0ZtCLFlVfHMQQvl/9qRJGY65LLu5CAWHiCSmunukR0qdhQfQptZcyCO//7DGPLwAyxN3mG+12apNYOUlicnJLVuIqCPDsdB0Rp39nmEyaJJau9saOSbgeo6MP+MUDK9kkgBVG+1QEljg3tRdOwP5sPduDXnD0J4Pev7/pZkBc6UYckgO2jAAj1cl4uGsp0B0dMUsiI/K2nl2qSa1WVTvmiLK6Dd2LP2nV7xbyVuQAJRDYW+MkNQ4UqMQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDmjCCAoKgAwIBAgIGAWH6+Pw5MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBW9uYXBwMRwwGgYJKoZIhvcNAQkBFg1pbmZv QG9rdGEuY29tMB4XDTE4MDMwNjExMDAxNloXDTI4MDMwNjExMDExNlowgY0xCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFb25hcHAxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDggGCxLVxkAuzT mKQP47VrXNa4NJ1bqB8QkIr9BcTB3g3Vt/+YK4Uy64LYRVV+2w5m0Z8RMbNcALznCOwCYgfNlSMs nzL3xY+i9+KMdH/V8igzysvWkL5hbb+a0p0tKUOzU4KZ5NIXWbjnTIqdhMdALiKzDW3THBXbU7oc Bf5pHwGyzsY4r8mVWhcYWTMaaObU7GAu3G6XaHo6Qg5rT/FKuQXATnRao9DFT0BRBEi7W27ehVl7 3cGediJmRaqDjTgkPqzyHkPnPP8J3g2E39CJn8+8Yqa4WaYwkTIY5UUmlKkbdHWV6hOYnnN0Egx7 z85Hs9hnHG1V+EsV1m2/RdzvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANYViLTpy0tUW+YCaie+ ZJDUfBTfA2tnNRRNf2EyVXObFXXEa/iop918DLLESal61lc+Aum72FZDkaptGFaDDg48hs4aq7P4 4CnDiussNPghiIJhRgvIjCqcQgKbcXbkbk/pF+Q935eiX7c2zoNyV87xSw16vipHB6swyG8qZKp2 XHZvurV9Q68VPSTBjPfaDs9pjTXggwqG2QgvWoU1PUHgB0ODbWRPFsdsD7oVA1wI3brXiPL8mOkc xLw+Ap45/uQTLX+suTYTRPNu1b9FFltu9nrqhBbM3e82pK0D+ji0oYlhiM0eMsbfPwEFP7A9dbNI Va0aB8QoGjqjzenAhaU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>
 

  • 2 answers
  • 2.32K views

  • alexandru.preda1.485391231955779E12 (Okta, Inc.)

    Hello Oleksandr

     

    At the first sight, it does not seem to be an issue with your configuration. 

     

    I would however like to encourage you to open a ticket with our Customer Support team so that we can a a closer look at the configuration and  better understand your environment in order to best provide assistance on this issue. 

     

    Thank you,

     

    Alexandru Preda
    Expand Post

  • j5v7c (j5v7c)

    Hello Oleksandr,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    Dylann Fezeu

    Okta Help Center Team
    Expand Post
This question is closed.
Loading
User single sign out from app failure : Invalid Signature