AtanasK.42423 (Customer) asked a question.
So okta redirect me after my slo request to the correct slo url, but in the system logs I see
User single sign out from app failure: Invalid Signature
Looks like there is some issue with the certs, but I can't figure out what it is and any help will be appreciated here.
I generated our test certs here: https://www.samltool.com/self_signed_certs.php
In the okta advanced settings I successfully added the public cert and set the digest and signature algorithms.
With the www.samltool.com I signed the xml, then Deflated and Encoded it, then pass it through url encoding and make a GET request to my slo url:
Some more detailed req/res data:
===== LOGOUT XML BEFORE SIGNING START =====
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Destination="https://dev-11111111.okta.com/app/dev-11111111_zzzzzzzz_1/1111111111115d7/slo/saml" ID="id1111111111d8-4s3m-974j-2f45r38899zz" IssueInstant="2023-02-13T14:48:02Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/11111111111111115d7</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">aaaaakkkkkkk@zzzzzzzzz.com</saml:NameID>
</samlp:LogoutRequest>
===== LOGOUT BEFORE SIGNING END=====
===== LOGOUT SIGNED REQUEST START =====
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Destination="https://dev-11111111.okta.com/app/dev-11111111111_zzzzzzz_1/111111111111111115d7/slo/saml" ID="p11111111-4027-ac84-c2f8-30b8bf25c6cc" IssueInstant="2023-02-13T14:48:02Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/111111111111115d7</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"/>
<ds:Reference URI="*p11111111-4027-ac84-c2f8-30b8bf25c6cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig*sha1"/>
<ds:DigestValue>45N18IQ7GFxi8VuOG/qu+1+xbFo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>NF6YntOL3NMuxh1hyCC/Zmcmdne95eQr3N/3xAcitxJHbWZbkBuf/OO9ovwLJagjHx0iBa96/n12G7EG79AR1OAG3956OaF/rE+9wFAoaIyRWOut+01Tfx9eYIovUTvsMQrfGMWhYgMydRwW7GzHryybLFKnN0EtgHgUq4+sAzcOFVXVFwcO75RQb7H4x7j069QoAfWDMR/ycPK0Xi/hXHEAm0ulb0Q9A0Wgsdi6Pzzch9Pc3ssS+NPSZLva0uInYLiQuL9T0m5v9o26kamIVYYs8psrCXRDY+1Y7QL0XRaIwHNO83scGD8HgGrbizzzyDijpZSdfFw+c5tUBJMlPSo=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUzCCAjqgAwIBAgIBADANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJ1czEOMAwGA1UECAwFU29maWExEDAOBgNVBAoMB3ppZ2lvcHMxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMzAyMTMxNDEyMzNaFw0yNDAyMTMxNDEyMzNaMEMxCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVTb2ZpYTEQMA4GA1UECgwHemlnaW9wczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIzANBgkqhkiG9w0BAQEFAAOCARAAMIIBCwKCAQIAy1JEFZMNycZKnabWKb41bBoxfIbf2rQZ94O0oH6SDk1zSdpXdlzG/gOUFGl7Cdt1SdumbYkP7flJGnGnJeaxqKkU1WpLyawSeI7UeLxodXfYRDUAmt6lRpIlIj9vjEJ8KXC1CtS2A4meKD97ey5DoVAjtDHj+N6tELqmU2x1mXtjbuuL3QU9/SrjTksm9ekJDRSblfwg8AD5hhZwUXePACEPofXjtKyGQ2eFAGLgKu8Cj43ZsNP80+L3OPw/ygDZHOjzlYwC8ZMuYnA9VDqSPOow4PuRYKBJHZQvQDtpjU8GbtAU1SDizt9xh1lAbdtDyAOL3T7BUvNj0hKlDotOP1kCAwEAAaNQME4wHQYDVR0OBBYEFL6rOTnZGD8s5isw77xoWD/LHfyYMB8GA1UdIwQYMBaAFL6rOTnZGD8s5isw77xoWD/LHfyYMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggECALlMN6hISSCumzLZPbW/KFw7xmG1uUTd+DmBnCEn7ZbJY2+H32fA8wfi/8FCxxEVwqaedRTcGPu/SEE2c9vXGV7LFRj9JExh+GqCAatRsF+wiksHeL5jDY59Dp9ifnkHr8zMNr2WgiuqqVv8ZjniZ+POmhx1m4bnfTPf+2OefP+jJir1wl2OiLwJaq4XD4/ECd3qwXbL3Glif4PQWPqHD5RnVO4ymvIZgGLCVTtXaGtFmA+YuIwxPyxFdxp0R02zWa0yt0uRMDWyaLr3s06yyVbXtR2Beme5IycZxEdoeY4Uv29Ht+1fFFDcfxe11EWHlpFMF6k5Q/hcRiwwr3UO6xIF</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">aaaaaaaaaaakkkkkkkkkk@zzzzzzzzzzzzzz.com</saml:NameID>
</samlp:LogoutRequest>
===== LOGOUT SIGNED REQUEST END =====
Any help here will be appreciated here
Regards,
Atanas
Hi @AtanasK.42423 (Customer) , Thank you for reaching out to the Okta Community!
Assuming you are using a custom SAML app and not one from the OIN (Okta Integration Network) and the SP side did not provide a cert of their own, I would just download the cert that you've uploaded on the SP side and the one you've uploaded in the Okta, then check 1:1 parity with a text editing tool (personal preference Notepad++).
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Now available: Product release highlights, your top questions, and other things you may have missed in this month's newsletter
Hi @Mihai Negoita - Okta (Okta, Inc.) ,
It is correct, we don't use OIN integration, but I uploaded the SP (our app) public cert to Okta. The certs (public and key) are generated from www.samltool.com, which I also use to sign the LogoutRequest.
I just compared both certs as you suggest, but there are no differences.
Thanks,
Atanas
Hi @Mihai Negoita - Okta (Okta, Inc.) ,
An important update:
After adding a url encoded signature as a query param, like this: &Signature=VBek%2F7, looks like fixing the signature issue, but now I get:
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</saml2p:Status>
in the LogoutResponse.
Also, I can't find any logs in Okta about the logout request.
Thanks,
Atanas
Hi @AtanasK.42423 (Customer),
It looks like you're testing this on your own without any actual service provider? It seems like your current value for "SigAlg" is not matching what Okta expects. Can you test it with this "https://www.w3.org/2001/04/xmldsig-more#rsa-sha256" and see if it helps?
-Jani
Hi @JaniK.29243 (Customer) ,
Currently I'm using the same signature algorithm, it is url encoded and added as query param to the request, like this: &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha256.
Also, I checked in the Okta advanced settings and there is selected the same algorithm - SHA256.
Thanks,
Atanas
Hi @JaniK.29243 (Customer) ,
An important update:
After adding a url encoded signature as a query param, like this: &Signature=VBek%2F7, looks like fixing the signature issue, but now I get:
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</saml2p:Status>
in the LogoutResponse.
Also, I can't find any logs in Okta about the logout request.
Thanks,
Atanas
The forum is not the ideal medium for in depth troubleshooting. I would recommend opening a case to work together with one of our Support Engineers and if it's not too much of a bother perhaps post the solution here so that other Community members can find it if they happen to have the issue.
Thanks @Mihai Negoita - Okta (Okta, Inc.) , We will consider opening a case and I'll share the result if do it.
That is not an answer to the question, but it can be in help as workaround to anyone in that regard:
Making a DELETE request to {okta-base-url}/api/v1/sessions/me will destroy the user session in Okta and will logout the user from Okta. For that you need just the cookie, received on saml login.
Regards,
Atanas