SLO request returns generic login page


#1

I’m trying to add support for Okta in my application, and running into trouble with the logout. SSO is working fine, but when the app sends an SLO request, Okta responds with a generic login page, as if the request was not understood at all.

The HTTP-Redirect URL below, with line-breaks for readability (and some editing to hide my email address), shows what I believe are all of the pieces needed for the request, according to the SAML bindings spec.

https://dev-329288.oktapreview.com/app/softwaredev329288_p4prototype_1/exkevnxi0c5MkvGx50h7/slo/saml
?SAMLRequest=fZLLbtswEEV...vULzBQ%3D%3D
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256
&Signature=EduvgzCordcX4na37FW%2BLSN7yFV7BCZJVfTKLB2dSrm6UgxmEBETH7QFx8PZ3ThPnat87%2BzJb8wU30M%2FOkddf6IONoKhDZ34MT4u2sE%2FbuLliXaoq%2BOnPJ7Z0TpoOmCgBFTEupOk25UZIiqA6saOSku7tvCFwe8dj4SmHOTUaaFjyX3uYPBa7ylMV8BfiBr0gvXLYdMd9HLU7cOW%2BYZ7aF10%2Bt0eVe0L3nvtwUWtSBseUZD48hY3wPsIJz7E6J83sc8lDixMBTsG0GrjOsvnWaKog6ZO%2FuzseXWhR014AuGo4mpDAViWhO7RbqW7C6NgxRfekZZ2AinZ58PRrQ23Yg%3D%3D

The above SAMLRequest decoded and formatted:

<?xml version="1.0"?>
<samlp:LogoutRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_93fc808c731b09352d5767a39ac866b605f81407f7"
  Version="2.0"
  IssueInstant="2018-09-13T00:02:39.732Z"
  Destination="https://dev-329288.oktapreview.com/app/softwaredev329288_p4prototype_1/exkevnxi0c5MkvGx50h7/slo/saml">
    <saml:Issuer>urn:example:sp</saml:Issuer>
    <saml:NameID>nathan@example.com</saml:NameID>
    <samlp:SessionIndex>_c088863e3a972850841ce691d4ba28f45dbaf0b5ff</samlp:SessionIndex>
</samlp:LogoutRequest>

Additionally:

  1. Enabled SAML 2.0, SSO, SLO, uploaded self-signed cert to oktapreview.
  2. Tried both HTTP-Redirect and HTTP-POST (with ds:Signature in the SAMLRequest itself).
  3. Tried with python3-saml (redirect and post) and Clever/saml2 (redirect only).
  4. Okta always responds with a generic login page.

I’m hoping someone out there has run into something similar and can offer guidance. Thank you in advance.


#2

Did you ever find an answer to your question, I’m experiencing the exact same thing.


#3

No response, I suspect it does not work with Okta. Several SAML client libraries have open issues around logout with Okta, so it seems to be a common problem.