Reputation: 11
How do you configure the SP-initiated logout request to use http-post with sustainsys.saml2?
I am trying to figure out configure the sustainsys.saml2 via web.config to send out a logoutrequest with an embedded signature from the SP. My understanding is this type of logoutrequest is uses the http-post binding. Looking at my initial setup of the SP metadata, the SP is binding with http-redirect as shown in the first image:
singlelogoutservice from sp metadata
Why I want to bind with http-post is for some reason the IDP (OKTA) is responding with "authnfailed" when they receive the logout request. According to the OKTA logs from our MFA team, it showing:
User single sign out from app
failure : Issuer does not match
Per our MFA team, they are the logout request is not signed. After further discussion, the IDP is expecting the signature to be embedded within logoutrequest xml, i.e. http-post. I can confirm that the http-redirect is sending a signature in the request. Though at the same, the IDP metadata they provided, seems they can handle http-redirect as show in the second image:
singleoutservice from IDP metadata
During my local development with dev sandbox, I had no issues http-redirect. This happening now from our dev/unit test web server. All certs have been setup. We are using the local IDP metatadata from an xml file. I just want to try with binding of http-post to see if it solves the problem, just can't seem to send by that bind. Here is the sustainsys configuration.
sustainsys web.config configuration
Note I am using the sustainsys.saml2 httpmodule setup for our asp.net web forms application.
I'm still a bit a new in this SP/IDP world, but definitely learning a lot. Any help or advise would be really appreciated.
Upvotes: 1
Views: 833
Answers (1)
Reputation: 463
I also got hit with a "Issuer does not match" failure. In my case it was the "SP Issuer" configuration setting.
SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm
I set it to the SP Entity ID, and that made Okta happy.
Upvotes: 0
Related Questions
- Not able to SignOut using Saml2 from Sustainsys
- SAML Single Logout using Sustainsys and Azure giving Message is invalid error
- How to Implement SAML Single Logout request from a microservice
- IdP endpoint for SAML logout response after an IdP initiated logout request using HTTP redirect binding
- Sustainsys.Saml2 SLO Logout RequestDenied status error
- Receiving SAML Logout response at /Saml2/Acs point
- Kentor/Sustainsys redirects back to SP after receiving LogoutResponse from IDP
- Saml2 Single Logout (SingleLogoutServiceResponseUrl) with Sustainsys and Identity Server 4
- Can I configure ReturnUrl on logout in sustainsys-saml2?
- SAML 2.0 LogoutRequest