I’m trying to add support for Okta in my application, and running into trouble with the logout. SSO is working fine, but when the app sends an SLO request, Okta responds with a generic login page, as if the request was not understood at all.
The HTTP-Redirect URL below, with line-breaks for readability (and some editing to hide my email address), shows what I believe are all of the pieces needed for the request, according to the SAML bindings spec.
https://dev-329288.oktapreview.com/app/softwaredev329288_p4prototype_1/exkevnxi0c5MkvGx50h7/slo/saml
?SAMLRequest=fZLLbtswEEV...vULzBQ%3D%3D
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256
&Signature=EduvgzCordcX4na37FW%2BLSN7yFV7BCZJVfTKLB2dSrm6UgxmEBETH7QFx8PZ3ThPnat87%2BzJb8wU30M%2FOkddf6IONoKhDZ34MT4u2sE%2FbuLliXaoq%2BOnPJ7Z0TpoOmCgBFTEupOk25UZIiqA6saOSku7tvCFwe8dj4SmHOTUaaFjyX3uYPBa7ylMV8BfiBr0gvXLYdMd9HLU7cOW%2BYZ7aF10%2Bt0eVe0L3nvtwUWtSBseUZD48hY3wPsIJz7E6J83sc8lDixMBTsG0GrjOsvnWaKog6ZO%2FuzseXWhR014AuGo4mpDAViWhO7RbqW7C6NgxRfekZZ2AinZ58PRrQ23Yg%3D%3D
The above SAMLRequest decoded and formatted:
<?xml version="1.0"?>
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_93fc808c731b09352d5767a39ac866b605f81407f7"
Version="2.0"
IssueInstant="2018-09-13T00:02:39.732Z"
Destination="https://dev-329288.oktapreview.com/app/softwaredev329288_p4prototype_1/exkevnxi0c5MkvGx50h7/slo/saml">
<saml:Issuer>urn:example:sp</saml:Issuer>
<saml:NameID>nathan@example.com</saml:NameID>
<samlp:SessionIndex>_c088863e3a972850841ce691d4ba28f45dbaf0b5ff</samlp:SessionIndex>
</samlp:LogoutRequest>
Additionally:
- Enabled SAML 2.0, SSO, SLO, uploaded self-signed cert to oktapreview.
- Tried both HTTP-Redirect and HTTP-POST (with
ds:Signature
in theSAMLRequest
itself). - Tried with python3-saml (redirect and post) and Clever/saml2 (redirect only).
- Okta always responds with a generic login page.
I’m hoping someone out there has run into something similar and can offer guidance. Thank you in advance.