Closed mjcloutier closed 5 years ago
The SAML LogoutResponse shows AuthnFailed
. What is the error in the Okta IdP logs for this logout request?
The SP initiated SLO is signed based on your LogoutRequest
. Is Okta IdP configured to accept signed requests?
Are you using the latest versions of samly
and esaml
?
Okta IDP: LegacyEventType: app.auth.slo.saml.invalid_signature Reason Invalid Signature
Samly Config:
config :samly, Samly.Provider,
idp_id_from: :path_segment,
service_providers: [
%{
id: "heimdall",
entity_id: "heimdall",
certfile: "priv/keys/heimdall.crt",
keyfile: "priv/keys/heimdall.pem",
},
],
identity_providers: [
%{
id: "okta_heimdall",
sp_id: "heimdall",
base_url: "https://localhost:4443/sso",
metadata_file: "idp_metadata.xml",
pre_session_create_pipeline: HeimdallWeb.Plugs.SamlyPipeline,
use_redirect_for_req: true,
allow_idp_initiated_flow: true
}
]
Was the .crt certificate file uploaded to Okta? If it was not exported signature verification will fail. I am assuming the SSO login request went through without issues. If the certificate was not uploaded it should have failed as well.
Can you also confirm if you are using the latest samly
and esaml
versions?
I tweaked the ./gencert from the samly_howto to produce a cert for localhost creds and uploaded the heimdall.crt to okta SLO field.
"esaml": {:hex, :esaml, "3.5.0", "313b4b98c7eb4720a6c6659b11b16ddb8726d9a1fdeba43bb6d9fdfe9e14e691", [:rebar3], [{:cowboy, "1.1.2", [hex: :cowboy, repo: "hexpm", optional: false]}], "hexpm"},
"samly": {:hex, :samly, "0.9.2", "9dc318cd257b3853539c8456f8977eb2152de57126acd8bd2d037d4cf5633413", [:mix], [{:esaml, "~> 3.4", [hex: :esaml, repo: "hexpm", optional: false]}, {:plug, "~> 1.4", [hex: :plug, repo: "hexpm", optional: false]}, {:sweet_xml, "~> 0.6", [hex: :sweet_xml, repo: "hexpm", optional: false]}], "hexpm"},
Can you use this tool to validate the request - use the XML dump of your LogoutRequest.
For some reason keep getting:
Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd
Did you mean "was able to validate the logout request"?
When I paste in the above LogoutRequest it tells me Invalid SAML
Using the Validate XML with XSD Schema I am unable to validate the Authentication Request from Samly app, or the LogoutRequest, but I am able to validate the SAML Response from the Authentication Request.
Here is the LogoutRequest:
Line: 8 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:protocol}LogoutRequest', attribute 'ProtocolBinding': The attribute 'ProtocolBinding' is not allowed.
Line: 23 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:assertion}Issuer': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:protocol}Extensions, {urn:oasis:names:tc:SAML:2.0:assertion}BaseID, {urn:oasis:names:tc:SAML:2.0:assertion}NameID, {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID ).
If I remove those two lines from the Request, it validates.
OK. I need to look into this. Will get back to you. Thanks.
Can you please open this LogoutRequest schema validation error as an issue in the esaml
repo?
https://github.com/handnot2/esaml
Thanks.
Sure thing, thanks for taking a look at this!
Are you planning on IdP initiated logout as well? If so, it would be good to check if the Schema validation is present there as well.
When I use the config flag allow_idp_initiated_flow: true
It currently automatically logs into the app successfully from Okta.
It is strange that the AuthenRequest is invalid but that it works currently and sends a response back from Okta to sign me in. It only has one error line which is the Issuer: The LogoutRequest has both Issuer: and ProtocolBinding:
My apologies I didn't read your comment correct: IdP initiated logout. I will check.
Schema validation fixes for LogoutRequest
and LogoutResponse
are done in esaml
v3.6.0. A new version of samly
v0.9.3 is released that uptakes the esaml
fix. Please try it out. The schema validation error might not be the root cause of your issue. I am updating this issue as the validation problem was uncovered as part of this thread. Uptake this version and try it out if this fix makes any difference.
I tested with the new version and the Authn, LogoutRequest and LoginRequest are producing proper schema validation now. I am still having an issue with Invalid Signature which might be an issue on my end with configuration. When I find a solution to the Okta LogoutRequest I will post a wiki example for Okta for Login and Logout using samly. Thanks much for looking into the issue.
I would like to close this if the root cause turns out to be a configuration issue. Would appreciate an update on this. Thanks.
I was able to get SSO working with Okta, but having an issue with Single Logout, always returning 403 Authn Failure "Invalid Signature".
Saml Trace
GET
POST https://localhost:4443/sso/sp/logout/okta_heimdall