OKTA SLO Integration

[Murarius]

Hi
Im working on SAML integration with AZURE and SAML
Azure is working fine but i have problem with OKTA SLO

Added:
config.saml_configure do |settings|
settings.security[:logout_requests_signed] = true
settings.certificate = "..."
settings.private_key = "..."
end

and certificate used in settings is added as Signature Certificate on OKTA Edit SAML Integration form
but when im trying to log out i get: "User single sign out from app failure: Invalid Signature" Error. on LogoutRequest

My question: Has anyone implemented OCTA SLO? What is wrong?
Im uploading good certificate?
should i fill something in SP Issuer input on Edit SAML Integration form on OKTA page?

[pitbulk]

Invalid Signature means that the entity was not able to validate the signature related to the SAML Message.
Verify that the entity that verifies the signature has registered the same public cert of the entity that generated the SAMLResponse.

[darrylhopkins]

With Okta as an IDP, for SLO to work, then in the Okta App for your SP, you need to upload the SP's signing certificate into Okta's "Signature Certificate" section near the other SLO fields in the "Advanced settings" section. Note that Okta has a different configuration for the token encryption certificate, which should be your SP's encryption certificate (in most cases, the SP uses the same certificate for encryption and signing but technically they can be different). Also, I have observed that Okta supports SP-initiated SLO but not IDP-initiated SLO.

…

On Wed, Jun 2, 2021 at 4:30 PM Sixto Martin ***@***.***> wrote: Invalid Signature means that the entity was not able to validate the signature related to the SAML Message. Verify that the entity that verifies the signature has registered the same public cert of the entity that generated the SAMLResponse. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#592 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACXOM7TSMXHGMXCIKQK7BP3TQ2IF5ANCNFSM45HSIEFQ> .

-- *Darryl Hopkins* Director, Business Analysis 2300 N Street NW, Suite 500 Washington, DC 20037 *C **571.296.3359* ***@***.*** everfi.com <http://www.everfi.com/>

[pitbulk]

I have observed that Okta supports SP-initiated SLO but not IDP-initiated SLO.

No idea why they don't support IDP-initiated SLO :(

Okta also does not support HTTP-Redirect binding and only HTTP-POST for the generated LogoutRequest and LogoutResponses.

SLO at Okta requires LogoutRequest and LogoutResponses to be signed, so you need to register the SP cert at Okta that will allow the Signature validation.

[hasmanyguitars]

I was able to get OKTA SLO working (SP-initiated) in https://github.com/onelogin/ruby-saml/releases/tag/v1.14.0 by adding:

settings.idp_slo_service_binding = OneLogin::RubySaml::Utils::BINDINGS[:redirect]

to the SAML settings before creating the OneLogin::RubySaml::Logoutrequest

The metadata returned by my OKTA app includes both bindings:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="OKTA_APP_URL/slo/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="OKTA_APP_URL/slo/saml"/>

This library picks the first one. So when I tried to redirect to the generated SLO URL, OKTA was looking for the signature in the query params. However, the signature was actually embedded in the SAML document instead.