6bbqh (6bbqh) asked a question.
I have seen and read several related questions about these symptoms, and possible causes.
(My initial text exceeded your description size limit. Footnotes will be posted as comment to this)
So, to address these first, to hopefully convince the reader that whatever my problem is, it is not these.
* Mismatched certs ?
As far as I can tell with the tools given to me by the okta dashboard for the okta instance [1], the certs in okta and my logout request are the same. To wit:
The cert is locally stored in file `cert.pem`, with issuer and validity information of
```
Issuer: C = de, ST = nrw, L = willich, O = suse-rancher, OU = saml-test, CN = tagetarl
Validity
Not Before: Jun 24 10:52:04 2024 GMT
Not After : Jun 22 10:52:04 2034 GMT
```
Immediately after upload of the cert under the advanced SAML options of the config editor it shows
```
Uploaded by Alexandre Alves on Mon Jun 24 10:59:57 UTC 2024
CN=tagetarl,OU=saml-test,O=suse-rancher,L=willich,ST=nrw,C=de
Valid from 2024-06-24T10:52:04.000Z to 2034-06-22T10:52:04.000Z
Certificate expires in 3649 days
```
After completing the SAML config setup the dashboard only shows
```
cert.pem (CN=tagetarl)
```
Regardless, it is all a match. (Side note: If the dashboard could be convinced to show the cert's fingerprint then this could make me even more sure of the match)
Note regarding names: Both Alexandre and I are devs for the same org, and he gave me access to the instance for testing.
I.e. I work under his name when editing my application (`aku-saml-so`) in the dev-88193867 okta instance.
* Mismatched signature and digest algorithms.
The dashboard shows
```
Signature Algorithm RSA_SHA256
Digest Algorithm SHA256
```
The logout request captured using the `saml tracer` plugin [2] contains
```
<ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more*rsa-sha256\"/>
<ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc*sha256\"/>
```
That is a match. See [2] for the entire captured request.
* The logout request is not signed at all
The captured logout request contains a full `<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig*\">` tag structure. See [2] for the complete captured logout.
So that looks good too.
* The cert in the request itself does not match the cert in the instance.
See [2] for the captured request with cert. Pulling the cert out and comparing against the local copy shows them as identical.
I already noted as my first check that the local cert is identical to the cert known to the okta instance.
* External validation
The https://www.samltool.com/validate_logout_req.php tool claims that the captured logout request is valid.
* The logout request is only partially signed.
The captured logout request [2] contains
```
<ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig*enveloped-signature\"/>
<ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n*\"/>
```
It is my understanding that this means that the entire request signed.
* What else ?
At this point, while I am fine with the belief that there is something wrong on my side I also believe that the common possible causes are not the problem here. What else could be wrong ?
Something else in the SAML config of the instance and app ?
Footnote [3] shows my config, as copied out of the dashboard
It is really unfortunate that
- the dash board does not show the cert fingerprint as a very good way of checking for cert mismatches without given out the entire cert.
- the log entry of `invalid signature` is so opawue, with no details at all where the okta decided things were bad.
In hope of help,
Andreas
This question is resolved.
Talking with a different provider about other symptoms put me on the correct track.
The keyword is "detached signatures" in redirect mode.
Where the signature info is not embedded in the XML, but passed as "SigAlg", "Signature" query parameters. The client package used did not generate these for logout requests, just auth.
Luckily a PR was found providing the necessary fix to the package.
I have now made a proper successful SLO against OKTA.