Reputation: 498
SimpleSAMLphp send SLO request to remote IDP Okta
So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.
I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...
The code used :
require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->logout();
I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...
Thanks for help!
Best regards,
EDIT :
I put my authsources config:
'default-sp' => [
'saml:SP',
'entityID' => null,
'idp' => 'http://www.okta.com/ID',
'discoURL' => null,
'privatekey' => 'sp.pem',
'certificate' => 'sp.crt',
'sign.logout' => true,
'sign' => [
'logout' => true
]
],
EDIT:
The IDP metadata:
$metadata['http://www.okta.com/randomString'] = array (
'entityid' => 'http://www.okta.com/randomString',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'certValue',
),
),
);
Upvotes: 0
Views: 472
Answers (2)
Reputation: 498
So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.
So to correct the bug i had at the start of my logout script a
session_start();
And it's works!
Upvotes: 1
Reputation: 3981
You will need to first enable logout in the Okta app. This will require your service provider public cert since Okta wants logout requests to be signed.
Once you have enabled logout the SAML metadata for the Okta IdP changes to include the logout URLs. You will need to update the metadata you have in SSP so that SSP knows about Okta's logout url.
Lastly you need to enable signed logout messages from SSP. You do that with the 'sign.logout' => true option in your authsources.php
Upvotes: 1
Related Questions
- Does simplesaml provide any API for IdP as it does for SP?
- SimpleSamlPhp IDP calling another IDP (IDP Proxy)
- SimpleSAMLPHP bind via POST
- How to process SAML from idp initiated SSO using PHP?
- Does SimpleSAMLphp SP need to communicate with IdP?
- What configuration to do in IDP to initiate SLO and how to consume IDP initiated SLO response in SP using SAML 2.0
- SimpleSamlPHP (SP) & OKTA (IdP)
- SimpleSAMLPHP: because it isn't a valid IdP for this SP
- SimpleSAML and Symantec O3
- How to customize the response attributes sent by an IdP using simpleSAMLphp?