iphxk (iphxk) asked a question.
We are implementing SP initiated SLO to our ruby app which already had SAML 2.0 SSO integrated.
Our session is SP initiated and okta is being used as IdP. Login(SSO) works fine but when our application triggers an SLO we are redirected to the correct page from the SAML relay, the user is logged out as well, the redirect reaches our callback endpoint `:site/logout/callback`.
But the problem is out SAML Response has StatusCode "":AuthnFailed"
We are using https://github.com/onelogin/ruby-saml for making SLO request in our application.
We are using a self-signed Openssl certificate in to test this feature, we followed the okta docs: https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.html.
Any help will be much appreciated.
***********************************
SAML Logout Request
***********************************
```
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://vinetipreview.oktapreview.com/app/vinetipreview_rafitestesign11902esign_2/exk1ejp4ao34BV4JL0h8/slo/saml" ID="_f6b3501b-36d8-4247-9f69-4ccd30fdd123" IssueInstant="2022-11-02T14:48:35Z" Version="2.0">
<saml:Issuer>esignature</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="*_f6b3501b-36d8-4247-9f69-4ccd30fdd123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n*" PrefixList="*default samlp saml ds xs xsi md"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"></ds:DigestMethod>
<ds:DigestValue>t+Wzn2FXFHM067NtaA+bn4t2pCfGy9T1NhIHoNiLzHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rcdugrmAUDs0VSQN3fzJEyCzfOnbWuwOw8KNzsnSp8LHH94HWN5MZJ/ttl8AKwQQ1CfbjcyreEzC3/3vgL0mhmXqVkMkQ5UT1NBzHysvoEz0vZB3Ut9KGHN0O5p2AoM2GBULAQ8sOjR6VXBAY53FqNRW572erYjwN1+cK94O5vRy5tnRgBZGQ1LR8VC7AkLXHcdAzcboTIB3anFuPnO2eus4WQgswJD0Ln6mOaR5phoY5s3FUL75yi7DvwvMwyY6auSBC7ZMy45b/70oRUI3kz538KpphvNLmWxbshFZNHZv9iEPBHj4K7eTxzOmKtI0pX6KCFZGJ4PKrVzcRw9Hxw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDnjCCAoYCCQCvYnC+wxlTSjANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCSU4xDzANBgNVBAgMBktlcmFsYTEPMA0GA1UEBwwGS29jaGluMRIwEAYDVQQKDAlCaWdiaW5hcnkxDzANBgNVBAsMBlZpbmV0aTEQMA4GA1UEAwwHaW50ZWdlcjEoMCYGCSqGSIb3DQEJARYZZ2VtaGFyLnJhZmlAYmlnYmluYXJ5LmNvbTAeFw0yMjExMDIxMzUxMTdaFw0yMzExMDIxMzUxMTdaMIGQMQswCQYDVQQGEwJJTjEPMA0GA1UECAwGS2VyYWxhMQ8wDQYDVQQHDAZLb2NoaW4xEjAQBgNVBAoMCUJpZ2JpbmFyeTEPMA0GA1UECwwGVmluZXRpMRAwDgYDVQQDDAdpbnRlZ2VyMSgwJgYJKoZIhvcNAQkBFhlnZW1oYXIucmFmaUBiaWdiaW5hcnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlvDcUsTbtlJRWvN6vEkI7KdlHd1n/7Vp9Oxa8yJ8W0eFy009dOHshQOIxeftyGxhCs+iE3NEv3Uu2bl9NABSMS3TJRs39XtTu5N3NaZQOtCtOX9BnniSuMm1NhLU3UKKHjD7puC82nxQ8IErNIOa9OSma/Hk7f6DRsJtIkp8MBKcBJoVWzTNBscmdTtIeoF1VrORpGCh6+aG2jRJu5vboBc1UXL/WHQsaFTFh5cKXtaB/V6VXH0JUWSmMDdqRW8JI59Vv5iFpX+Wq2kv7CpIELEHtSHn70oxdTtW/+TxgAYI384GFVgMCqUKDYoD29jOQCBImpjH1d4srzmwi85CQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQATsblBCq5YMs1nA1DTKwBOvigQuiJ8WrIDIzTQKTPspcUUd6QjSTVhifTik2emJQbDJW+P4L/3g1ynwTfpaFFVeHdExe9+pXpfXBO7WCcBrqkOVnJ5m0Cn1S2TUn7RmVsWyGPr/x5DnbaYhqehBKx0iE56q9n9OzC8qyQHLj8CsUSw2HicMTfQobLtGyAsiWkhi0MSmOko+K5byGxPRSBCJXpbNcHRvEWJcxZw2RkyImg64rup2c7Cli7CsjqL0mbeS9I9uL3vBPvrBa6zGOsTTliBAJiP5A5JPWUjW7uLDoxIvekauMhZTyskkb5gi9M7V2uxtDONzqZkh/v8Bg8+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_531453ee-e303-48b2-96c0-4b934c84140e</saml:NameID>
</samlp:LogoutRequest>
```
***********************************
SAML Logout Response
***********************************
```
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:3000/single_logout_callbacks" ID="id73066648839037181330715953" InResponseTo="_f6b3501b-36d8-4247-9f69-4ccd30fdd123" IssueInstant="2022-11-02T14:48:36.448Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1ejp4ao34BV4JL0h8</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="*id73066648839037181330715953">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256"></ds:DigestMethod>
<ds:DigestValue>gMD6cYx70zye1vxutWCk6wcp4q4sE/Mlhd7ZxNWU/mc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dIIMKTvZZUPwjgeoW3xp14cIdo1IGjqN+dx270Ah+qAbisVhZJMIFpbWSTHfmaAclzbbs2eI9XzN1z5MQ5Lh6ib11oLAYRuhri1K/RhTEPFRURQ6IRb7QZS0HM3mheucd4AuuJuGgbssU59pqjn60mwsSn3CCdNLzs/1/lEblNyrxpkiX9UYH9g7LAgYRbuJrkPsjUufDa8WRKl+DthjNkO0l19Auent8HRsYLN6Cx8MPMPvrZtBXIevowcnbd1dHRdvMvIZl0aCB7tv/5vZt6ToiJfVv8f/g4jI9Kwvz9p94/HfdBz3Co4alejwPYxF7LwxT23081ziHw8cuOoYgQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYQ4cTwoMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXZpbmV0aXByZXZpZXcxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMjIxMTAyMTMwMzE1WhcNMzIxMTAyMTMwNDE1WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA12aW5ldGlwcmV2aWV3
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAqMrNCbnOAFghWDs4iSIlFn45rivI/wa8rCJ8/GuBUFHzpOLBEdv8xoCge1NzoEt5WAYl
ScDLtEXk154Dq27bt/2crk12i4gXJRLSkh3yLG6YwMPrJOc3zGTxi6E4daU1QTk/D3/i2SbOlWfT
wF3EzJWQTYvSKbiGC6308sZTLLkMq8pmTAQNoIY7GsxHE4kEpPBU5xZftxOFp2be2GE6g6VDxNK6
PXklh8xQGLBM6xMGqjylkF7rMzP+Rq6sXfDtBVyeCbV8FXGH9CJlRDZISm7pmTaLxolVwtnMoD9n
hjHDGps8ioFUqwIOdh8LpT8CS084YROxvpU1t+HWRwEGSwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQBeIWrzEbZZLLp0FK6ZvBMh+TGng7qUF1yXS1t/NUWudFPGcsLMDZr+dhFS5fhDy1zV4KIfDluE
B58pI2J0VqTUpVW7CmivXevjvaajbUwXyWRzRrK/Cie0BSnT3+oc/RZmaPyTtHhMX1hQqrVB8JgY
cS215lHYudeAW0C+CRAtQWglZSGoLa2RO3/y3d1OypZsciGBXaVz9oqo17sQKTi9gv7dqUm+GeAD
uYxHBVhqM2bWk2fhBGXyejIe0yGDyR0Gg+yEK6u13wja6jviVfXKMzTBnVubqH8Mvra2mLGBpK6o
0phNzBFn7TWHO+J8LJwzqRzLeXiUiitUMIERLzLF</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"></saml2p:StatusCode>
</saml2p:Status>
</saml2p:LogoutResponse>
```
In the okta system log it is updated as invalid signature error.
Hello @iphxk (iphxk) hank you for reacting out to our Community!
That particular error usually indicates that the certificate that is being used for the signature is not correct. In this case I would recommend to revisit the configuration where you made the Single log out settings and update the certificate on Okta side.
Please also see this response:
https://support.okta.com/help/s/question/0D54z00007Mn7RCCAZ/okta-saml-slo-response-status-authnfailed-and-in-the-okta-system-log-it-is-updated-as-invalid-signature-error?language=en_US
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
The October issue of the Okta Community is here and packed with tips on certification, how to earn badges, and new releases. Let us help you stay connected.