search

metabase / metabase

The simplest, fastest way to get business intelligence and analytics to everyone in your company :yum:
https://metabase.com
Other
38.04k stars 5.05k forks source link

Single Logout Fails for Okta #46605

Open ixipixi opened 1 month ago

ixipixi commented 1 month ago

Describe the bug

If you enabled SLO for Okta the logout fails when initiated from Metabase.

To Reproduce

  1. Set up Metabase v49
  2. Create a keystore for signing SSO requests & export the cert in PEM format
  3. Set up a test SAML application in Okta Enable single logout in Okta (it requires digital signing)
  4. Set up SAML in Metabase with the keystore you created and the Okta settings
  5. Set up a test Okta user
  6. Login via SSO as the test user in Okta
  7. Note that logging in with the signed request works as expected
  8. Try to logout
  9. See "error 400" page

Expected behavior

SLO should work with Okta

Logs

No response

Information about your Metabase installation

v49

Severity

annoying

Additional context

I suspect that we're failing to sign the the SLO request and that we're supposed to be directing the logout request to Oktas SLO endpoint (it looks like we may be hitting their sso endpoint instead).Handy links

Okta docs:

Quick run through in Loom: https://www.loom.com/share/9bf0882488ba480c8016a08b5e8002bd

error settings_okta

ixipixi commented 1 month ago

Also relevant: https://github.com/metabase/metabase/issues/46606