SaravananS.68768 (Customer) asked a question.
Implementing SLO in our application, I am trying to make SLO request using HTTP Redirect binding. Using this library "https://github.com/onelogin/python3-saml" for making SLO request in our application. I got SLO SAML response is Authnfailed.
SAML Logout Request
<samlp:LogoutRequest
Destination="https://dev-56964535.okta.com/app/dev-56964535_samlssocamp_1/exk2uilu5wAGKGOhZ5d7/slo/saml"
ID="ONELOGIN_7d44584744e4d927777581a2cc79fa6cd42dc34d" IssueInstant="2022-01-05T16:46:39Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://172.16.2.163/camp</saml:Issuer>
<saml:NameID>saravanan.subramani@acldigital.com</saml:NameID>
<samlp:SessionIndex>ONELOGIN_30b4f4ac641f5304990cea675072b24a8991b72e</samlp:SessionIndex>
</samlp:LogoutRequest>
SAML Logout Response
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse Destination="http://172.16.2.163/camp/auth/slo?org=verizon"
ID="id11997804552943079800705899" InResponseTo="ONELOGIN_7d44584744e4d927777581a2cc79fa6cd42dc34d"
IssueInstant="2022-01-05T16:47:09.427Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk2uilu5wAGKGOhZ5d7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"/>
<ds:Reference URI="*id11997804552943079800705899">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256"/>
<ds:DigestValue>TzZkRmU2NlyylzUFv1btHoswofYKiql+kiPkdQj9nUc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VS4RL0EM9DgrsVAGBOSFwz23vm1GQlpr27NJv9qNmKhFeJRPtAkABdZRumjb9LbEzeMCf9iDpxuGo4hQFIOB8ip1QG296ipojysqsN4h0NtyFWC3bC4MRNmX8cmr3wZrN55k+7O7YlHWCDuQ5xQ2alGYTwNW1UHS3GEYeh5eXV026QDBf7BvlcNCjHGSGASaS4BQr9WOI+voDj9JDIDEaVhHUyytSfwa9rIa3aplzuwJrJd9+tgJX7hMFcSU3Af4DAw701+yaMY7CrHdXcFpFEwJPX5xVU5ldllQh3ZVpjzWBHOvDvKJXJIZk05tS0iIwtEY9NicFLu4IpD4fS92BQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAX0gHl4TMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi01Njk2NDUzNTEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0yMTExMTQyMDIyMjBaFw0zMTExMTQyMDIzMjBaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi01Njk2NDUzNTEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK+2SphzB3NJqe7cdojnCMxr9A+wPmXXb8xFvE49oRy4wSkFtrIa15J5ipHb6uj1ngbmV8lM
R8su/xO1xyaqgWeop2ZdWYRlN0ra/8UCVjuNCIHGDAmQBW4JA1QGmi581mlrmELpLmhnyjLqDdKR
K2YXcrMftOxZpMaj9u0EbvLgKY/3S2nx5cPkick2Wwnhiv251OTiL7AWxqNYoxwS7dmbaYFxm2sN
u/j9dArvJ+tJQ5NSyNhzxq2Ldodi6BOcePBf/eKTgtlN0INeoWrdv26XewhXZyx9fnvHQ5k8wFSJ
McxJDSlMXPrIoHEDn5evjfA9tADv5aA9ooSj/+tGdScCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
LIp6dpUgdBfPkjW+ACV9mpGMkQNDBE7bhLTbPC8hQaq0puYC8naskURLnk7sXc3avADqzFYpodFY
MSB3yHPcrUBbTCKBDFL0orVMr69JKrDILxAe9/apBKJU+GpEWOWZU8SNQmmGt+3xuIeBk3uWXIXm
dKXSeS0YzDFWla/efSnUAWrglIAL4NAtn/7luNLCMwhRWIs2frZcggC3pqn7oT7lDn5cBzjpB2Dv
fW9eI1KkQIhAhpHrxmT2iboMdw0lWebwxIpYViTivohHA4BGZ6a9pRckfbrl8BYlN96DvKeR/dSF
gzDq9XnaB2DwBpjMAZVLRZ79t639G2SN5Jz6Nw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status>
</saml2p:LogoutResponse>
Hello @SaravananS.68768 (Customer)
Thanks for posting.
"Invalid Signature" means the LogoutRequest is not signed properly. Typical problems would be:
In your case, there must be a mismatch between the certificate uploaded in Okta and the certificate that the SP is using.
In the SAML trace you should be able to see the SLO request which will contain the certificate, you can copy it from there and append the header and footer(-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----), then upload it into Okta to test again and validate.
you can also try this tool to validate the request - use the XML dump of your LogoutRequest.
https://www.samltool.com/validate_logout_req.php
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.