After a significant amount of effort we finally managed to successfully enable the Okta SAML “Signed Requests” flag. It turned out that for us the problem was somewhat related to the example SAML client we used to act as the SP-Initiated SAML client. That client isn’t properly configured to provide the desired “NameID Format” as part of the SAML AuthnRequest. We resolved this by iteratively working with the actual 3rd party client and referring to the following URL which provided the missing solution: Okta SAML Integration with Signed Requests - Auth0 Community
For us the gist of the problem was:
We were missing the “Name ID Format” setting within the SAML AuthnRequest.
I mention this for 2 reasons.
a) Helping out the many others experiencing this same issue (often without finding a solution).
b) I’d like suggestions on an easy approach to fixing the original example Spring Boot client we initially worked with. See: https://www.baeldung.com/spring-security-saml
For question b) please provide suggestions how to easily modify the Spring Boot example to provide the missing item from the SAML AuthnRequest:
<samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” />
TIA for any valid suggestion.