-
-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OKTA SLO Integration #592
Comments
Invalid Signature means that the entity was not able to validate the signature related to the SAML Message. |
With Okta as an IDP, for SLO to work, then in the Okta App for your SP, you
need to upload the SP's signing certificate into Okta's "Signature
Certificate" section near the other SLO fields in the "Advanced settings"
section. Note that Okta has a different configuration for the token
encryption certificate, which should be your SP's encryption certificate
(in most cases, the SP uses the same certificate for encryption and signing
but technically they can be different). Also, I have observed that Okta
supports SP-initiated SLO but not IDP-initiated SLO.
…On Wed, Jun 2, 2021 at 4:30 PM Sixto Martin ***@***.***> wrote:
Invalid Signature means that the entity was not able to validate the
signature related to the SAML Message.
Verify that the entity that verifies the signature has registered the same
public cert of the entity that generated the SAMLResponse.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#592 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACXOM7TSMXHGMXCIKQK7BP3TQ2IF5ANCNFSM45HSIEFQ>
.
--
*Darryl Hopkins*
Director, Business Analysis
2300 N Street NW, Suite 500
Washington, DC 20037
*C **571.296.3359*
***@***.***
everfi.com <http://www.everfi.com/>
|
No idea why they don't support IDP-initiated SLO :( Okta also does not support HTTP-Redirect binding and only HTTP-POST for the generated LogoutRequest and LogoutResponses. SLO at Okta requires LogoutRequest and LogoutResponses to be signed, so you need to register the SP cert at Okta that will allow the Signature validation. |
I was able to get OKTA SLO working (SP-initiated) in https://github.com/onelogin/ruby-saml/releases/tag/v1.14.0 by adding:
to the SAML settings before creating the The metadata returned by my OKTA app includes both bindings:
This library picks the first one. So when I tried to redirect to the generated SLO URL, OKTA was looking for the signature in the query params. However, the signature was actually embedded in the SAML document instead. |
Hi
Im working on SAML integration with AZURE and SAML
Azure is working fine but i have problem with OKTA SLO
Added:
config.saml_configure do |settings|
settings.security[:logout_requests_signed] = true
settings.certificate = "..."
settings.private_key = "..."
end
and certificate used in settings is added as Signature Certificate on OKTA Edit SAML Integration form
but when im trying to log out i get: "User single sign out from app failure: Invalid Signature" Error. on LogoutRequest
My question: Has anyone implemented OCTA SLO? What is wrong?
Im uploading good certificate?
should i fill something in SP Issuer input on Edit SAML Integration form on OKTA page?
The text was updated successfully, but these errors were encountered: