<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008vdbOKSAYOkta Classic EngineIntegrationsAnswered2024-03-25T20:40:15.000Z2020-07-12T04:46:59.000Z2020-11-12T13:12:15.000Z

HaseebQ.27177 (Customer) asked a question.

July 12, 2020 at 4:46 AM
Destination attribute not set in SAMLResponse

I've setup a generic SAML Service Provider in 'Applications'. Everything seems to be working except, for some reason the "Destination" attribute is not being set properly by Okta in the saml response.

 

Is this expected? Is there a way to force Okta to add the 'Destination' attribute? Any help would be appreciated.

 

AuthnRequest:

<samlp:AuthnRequest

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="id-57e52d89c155d0e928d625b2bc3270b0bad470cb"

Version="2.0"

IssueInstant="2020-07-12T04:39:56.138Z"

Destination="https://jumpdesktop-haseebq.okta.com/app/generic-saml/XXXXXXXXXX/sso/saml"

AssertionConsumerServiceURL="http://localhost:8000/v1/saml/sp/jump/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

>

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8000/v1/saml/sp/jump/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" />

</samlp:AuthnRequest>

 

Response:

<saml2p:Response

ID="id436169814054609368529872"

InResponseTo="id-57e52d89c155d0e928d625b2bc3270b0bad470cb"

IssueInstant="2020-07-12T04:39:56.679Z"

Version="2.0"

xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:xs="http://www.w3.org/2001/XMLSchema" >

 

  • 3 answers
  • 3.66K views

  • 2s193 (2s193)

    According to https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf section 3.5.5.2 (which is in the HTTP POST binding section, and there is identical text in the redirect binding section) which says:

     

    If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.

     

    This would seem to indicate that you just need to enable message signing in Okta, and then they will insert the destination parameter (or else they would be not standards compliant).

    Expand Post

  • ToniW.18360 (Customer)

    As also shown in your samples in Overview | Okta Developer the Destination attribute is given.

    I've an application registered last year, SAML responses for this application includes the Destination attribute. All new registered applications using the only existing way "SAML Service Provider" does not include this attribute.

     

    How can I use Octa as SAML IdP in a standard conform way?

    Expand Post
This question is closed.
Loading
Destination attribute not set in SAMLResponse