Closed mjcloutier closed 5 years ago
handnot2
commented
6 years ago The SAML LogoutResponse shows AuthnFailed. What is the error in the Okta IdP logs for this logout request?
The SP initiated SLO is signed based on your LogoutRequest. Is Okta IdP configured to accept signed requests?
Are you using the latest versions of samly and esaml?
mjcloutier
commented
6 years ago Okta IDP: LegacyEventType: app.auth.slo.saml.invalid_signature Reason Invalid Signature
Samly Config:
config :samly, Samly.Provider,
idp_id_from: :path_segment,
service_providers: [
%{
id: "heimdall",
entity_id: "heimdall",
certfile: "priv/keys/heimdall.crt",
keyfile: "priv/keys/heimdall.pem",
},
],
identity_providers: [
%{
id: "okta_heimdall",
sp_id: "heimdall",
base_url: "https://localhost:4443/sso",
metadata_file: "idp_metadata.xml",
pre_session_create_pipeline: HeimdallWeb.Plugs.SamlyPipeline,
use_redirect_for_req: true,
allow_idp_initiated_flow: true
}
]Was the .crt certificate file uploaded to Okta? If it was not exported signature verification will fail. I am assuming the SSO login request went through without issues. If the certificate was not uploaded it should have failed as well.
Can you also confirm if you are using the latest samly and esaml versions?
mjcloutier
commented
6 years ago I tweaked the ./gencert from the samly_howto to produce a cert for localhost creds and uploaded the heimdall.crt to okta SLO field.
"esaml": {:hex, :esaml, "3.5.0", "313b4b98c7eb4720a6c6659b11b16ddb8726d9a1fdeba43bb6d9fdfe9e14e691", [:rebar3], [{:cowboy, "1.1.2", [hex: :cowboy, repo: "hexpm", optional: false]}], "hexpm"},
"samly": {:hex, :samly, "0.9.2", "9dc318cd257b3853539c8456f8977eb2152de57126acd8bd2d037d4cf5633413", [:mix], [{:esaml, "~> 3.4", [hex: :esaml, repo: "hexpm", optional: false]}, {:plug, "~> 1.4", [hex: :plug, repo: "hexpm", optional: false]}, {:sweet_xml, "~> 0.6", [hex: :sweet_xml, repo: "hexpm", optional: false]}], "hexpm"},
handnot2
commented
6 years ago Can you use this tool to validate the request - use the XML dump of your LogoutRequest.
mjcloutier
commented
6 years ago For some reason keep getting:
Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd
handnot2
commented
6 years ago Did you mean "was able to validate the logout request"?
mjcloutier
commented
6 years ago When I paste in the above LogoutRequest it tells me Invalid SAML
mjcloutier
commented
6 years ago Using the Validate XML with XSD Schema I am unable to validate the Authentication Request from Samly app, or the LogoutRequest, but I am able to validate the SAML Response from the Authentication Request.
mjcloutier
commented
6 years ago Here is the LogoutRequest:
Line: 8 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:protocol}LogoutRequest', attribute 'ProtocolBinding': The attribute 'ProtocolBinding' is not allowed.
Line: 23 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:assertion}Issuer': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:protocol}Extensions, {urn:oasis:names:tc:SAML:2.0:assertion}BaseID, {urn:oasis:names:tc:SAML:2.0:assertion}NameID, {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID ).If I remove those two lines from the Request, it validates.
handnot2
commented
6 years ago OK. I need to look into this. Will get back to you. Thanks.
handnot2
commented
6 years ago Can you please open this LogoutRequest schema validation error as an issue in the esaml repo?
https://github.com/handnot2/esaml
Thanks.
mjcloutier
commented
6 years ago Sure thing, thanks for taking a look at this!
mjcloutier
commented
6 years ago handnot2
commented
6 years ago Are you planning on IdP initiated logout as well? If so, it would be good to check if the Schema validation is present there as well.
mjcloutier
commented
6 years ago When I use the config flag allow_idp_initiated_flow: true It currently automatically logs into the app successfully from Okta.
It is strange that the AuthenRequest is invalid but that it works currently and sends a response back from Okta to sign me in. It only has one error line which is the Issuer: The LogoutRequest has both Issuer: and ProtocolBinding:
mjcloutier
commented
6 years ago My apologies I didn't read your comment correct: IdP initiated logout. I will check.
handnot2
commented
6 years ago Schema validation fixes for LogoutRequest and LogoutResponse are done in esaml v3.6.0. A new version of samly v0.9.3 is released that uptakes the esaml fix. Please try it out. The schema validation error might not be the root cause of your issue. I am updating this issue as the validation problem was uncovered as part of this thread. Uptake this version and try it out if this fix makes any difference.
mjcloutier
commented
6 years ago I tested with the new version and the Authn, LogoutRequest and LoginRequest are producing proper schema validation now. I am still having an issue with Invalid Signature which might be an issue on my end with configuration. When I find a solution to the Okta LogoutRequest I will post a wiki example for Okta for Login and Logout using samly. Thanks much for looking into the issue.
handnot2
commented
5 years ago I would like to close this if the root cause turns out to be a configuration issue. Would appreciate an update on this. Thanks.
I was able to get SSO working with Okta, but having an issue with Single Logout, always returning 403 Authn Failure "Invalid Signature".
Saml Trace
GET
POST https://localhost:4443/sso/sp/logout/okta_heimdall