<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VXvSANOkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2015-09-28T13:38:19.000Z2018-06-15T16:00:09.000Z

6nr1r (6nr1r) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Single Logout
I am trying to get SAML Global Logout to work in Spring sample application with Okta. After setting the parameters in the advanced settings as specified in the link https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#SAMLConfigureSAML, I am getting an error regarding destination endpoint:

org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint

 

The error is because in SAML Logout response from Okta destination is of SP’s SSO endpoint but the message is posted to SP’s single logout endpoint:

<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/OktaSLOSample/saml/SSO" ID="id21496932117164504147781404"...

 

Below are the values used in SAML settings:

Single sign on URL/ Recipient URL/ Destination URL: http://localhost:8080/OktaSLOSample/saml/SSO

Audience URI (SP Entity ID): http://localhost:8080/OktaSLOSample/saml/metadata

Enable Single Logout: True

Single Logout URL: http://localhost:8080/OktaSLOSample/saml/SingleLogout

SP Issuer: http://localhost:8080/OktaSLOSample/saml/metadata

Signature Certificate: Have uploaded the certificate of alias apollo extracted from samlKeystore.jks

 

Noticed that destination of SAML LogoutResponse always has the value from “Destination URL” SAML setting. This doesn’t work since SP would have different SSO and SingleLogout endpoints. If I change the destination URL in Okta app to http://localhost:8080/OktaSLOSample/saml/SingleLogout, single logout would work but not login. Can you please help me with this issue?

 

Regards,

Vikas
  • 6 answers
  • 8.61K views

  • j5v7c (j5v7c)

    This is a technical question which is highly complex, we have assigned it to one of our Support Engieners.  We will update the Community here, when the answer has been identified.  

     

    Tom Hill

    Support Communty Manager, Okta

  • 6nr1r (6nr1r)

    Hi Thomas,

     

    Any updates on this question?

     

    Thanks,

    Vikas

  • 6nr1r (6nr1r)

    Engineering team has confirmed that this is indeed a bug for a case I had opened on the same topic. The identifier for this issue is OKTA-69971. Once this issue is resolved, the identifier should be listed in the Okta release notes.

     

    - Vikas

  • j5v7c (j5v7c)

    From Okta Support:

     

    Hi Vikas,

     

    Just wanted to let you know that the release version for this fix (OKTA-69971) is 2015.44, which is due to go live tomorrow evening for oktapreview.com orgs, and will flow into production next week.

     

    Please let us know if you have any additional questions. If not, we'll close this case out tomorrow afternoon, which you may also re-open at any time if it's determined the issue is not resolved. Thanks for your patience in allowing us to resolve this issue for you.

    Thank You,

     

    Jon Kraatz

    Okta Global Customer Care
    Expand Post

  • 6nr1r (6nr1r)

    Thanks for the update Jon. I was able to test the fix successfully in oktapreview.com.

     

    - Vikas

  • rwum1 (rwum1)

    Hi, I am trying to do POC on Single Sign On. I am little confused what could be the single on config variables as you mentioned 

    Single sign on URL: http://localhost:8080/OktaSLOSample/saml/SSO

    Audience URI (SP Entity ID): http://localhost:8080/OktaSLOSample/saml/metadata

     

    If my server runs on localhost:3000. Can I replace the localhost:8080 with localhost:3000?

     

    But When I go through documentation of okta they provided Single Sign on URL and Audience URI same as in the below format

     

     http://example.com/saml/sso/example-okta-com

     

    So, then what could be the Single  sign on URL and Audience URI?

    Expand Post
This question is closed.
Loading
Single Logout