Error 400 (Bad Request) when sending a logout request to Okta (SAML 2.0)

SAML for ASP.NET
1
Hi,

I'm getting a 400 Bad Request error with the message "Bad SAML Request" when I attempt to send a LogOut request from my site. I'm quite new to this, so it's well possible that I'm not sending the correct information to the IdP, but I need some guidance.

Here's the intial authentication request:


https://sts-development.mysite.net/?inst=signIn"
Destination="https://mysite.oktapreview.com/app/mysitedev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml"
ForceAuthn="false" ID="_827b87ab-5120-4e45-af08-9f0c972e68f4" IsPassive="false"
IssueInstant="2019-03-04T17:04:51.08Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts-development.mysite.net<samlp:NameIDPolicy AllowCreate="true"/>


The response:


<?xml version="1.0" encoding="UTF-8"?>
https://sts-development.mysite.net/?inst=signIn"
ID="id154512471317294631563558805" InResponseTo="_827b87ab-5120-4e45-af08-9f0c972e68f4"
IssueInstant="2019-03-04T17:05:03.920Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkjlgid0cDQMDyoa0h7
">http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:DigestMethod Algorithm="">http://www.w3.org/2001/04/xmlenc#sha256"/>
lIlniGkXsMA6qayYMPgNkvGONhBTQ8ArP14y9yliY50=


BnAWGhAMkS4VGionmJXhAVUpc/f7FGWE0qReMmNP3Y1X3OBJoG9weotYWwRDiOoKAkkUz3Bn91+x0GBgZBufl+TpJltHT5TVjIUnOhJD4azi9yvjmU80wlopI4paui3QduYy+h+EUHhUfO0D22l5GD3KqGvdhiT0TUzyC7hi91JFN/YHDcA8205M96WWUJgkt2O+qkzZaf6gipkFD32bfiSV6mWLIfz6W9AgF2cr26MINqgplerz9Y7dxMS+HODGPjKwhosLr22wvq/Pq1O7ZfPEr9lcOioea4COrORT7ugsgmhNjSuGQh3qrk64dQGqZLf5zxjpfl5dktJ8nisNfA==


...




<saml2:Assertion ID="id15451247131816753424882046" IssueInstant="2019-03-04T17:05:03.920Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkjlgid0cDQMDyoa0h7
">http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:DigestMethod Algorithm="">http://www.w3.org/2001/04/xmlenc#sha256"/>
yO9GKOJ0oeekd9D9U+kVZ8uxrr6NCkW4dKKO39/xOio=


OfvL1fNbHv6aD2PToK5fOosgQ6aNQb/5AHdr6Utwr8m9qY2lj137LHoEYFmVul6CUu9UFQ2+6R03mRm6zp/nV6lBlvJoh0e7kdt/ONOvG4iJKUMc9CYhpM/A7ddsPktmEQ6EjR1T0Rh9DNhSXSFBq5mspZZtEOjxNztDGz3dUmyTIYLRExdKp4st66ATT1bY72VqZEf6gB/Ovy1Hv4+dFYPR/mS2dRhEMqLafQ5SOSd9KAdAG6UxWW8LMbH0PFBjTiG2Y6+MvjTVn0ppfx/1SuzNsLYq41BaSfVSgEhxYnFafqQb/Gta6NYyXywdKll/0vSCnCTv4OYuDsQ6qEouxA==


...




user@mysite.net
<saml2:SubjectConfirmationData InResponseTo="_827b87ab-5120-4e45-af08-9f0c972e68f4"
NotOnOrAfter="2019-03-04T17:10:03.920Z" Recipient="">https://sts-development.mysite.net/?inst=signIn"/>

<saml2:Conditions NotBefore="2019-03-04T17:00:03.920Z" NotOnOrAfter="2019-03-04T17:10:03.920Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

https://sts-development.mysite.net


<saml2:AuthnStatement AuthnInstant="2019-03-04T17:05:03.920Z"
SessionIndex="_827b87ab-5120-4e45-af08-9f0c972e68f4"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport






And the signout request I'm sending:


<samlp:LogoutRequest
Destination="https://mysite.oktapreview.com/app/mysitedev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml"
ID="_47081fdd-8052-42a3-8b1c-da03dde155c6" IssueInstant="2019-03-04T17:07:23.39Z"
NotOnOrAfter="2019-03-04T17:08:23.39Z" Reason="SP Logout" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts-development.mysite.net
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">user@mysite.net



What may be causing the bad request in the LogoutRequest I'm sending?

Please note that the sign-in works fine, and that I've enabled logout on Okta.
2

You should include in the logout request the SessionIndex from the authn statement in the SAML assertion.
We recommend using the SAML high-level API as this handles the construction of the SAML protocol messages for you.


3

Thanks for the tip.

I’ve tried sending back the session ID, and I’m now getting a different 400 error: “Error Parsing XML in SAML Request”:


<samlp:LogoutRequest
Destination=“<a href=“https://mysite.oktapreview.com/app/assimadev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml””>https://mysite.oktapreview.com/app/assimadev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml"
ID=“_8bcc6429-5056-4d68-aa50-03cbaccb399b” IssueInstant=“2019-03-05T10:26:56.431Z”
NotOnOrAfter=“2019-03-05T10:27:56.431Z” Reason=“SP Logout” Version=“2.0”
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://sts-development.mysite.net</saml:Issuer>
<saml:NameID xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>user@mysite.net</saml:NameID>
samlp:SessionIndex_aa7593f6-42dc-41e3-9e0d-0bbb5066d313</samlp:SessionIndex>
</samlp:LogoutRequest>


FYI: we’re using the LogoutRequest object with SingleLogoutService.SendLogoutRequestByHTTPRedirect to build that request.

So, if I understand you correctly, you recommend using the high level API SAMLServiceProvider.InitiateSLO instead. If that’s the case, do we also have to use the SAMLServiceProvider.InitiateSSO method to sign in?

4

I’m not sure why Okta reports that error.
I tested your XML and it’s well formed and validates against the SAML XML schema.
For comparison, here’s an example of a SAML logout request that was successfully processed by Okta.


<samlp:LogoutRequest
ID=“_59e5d5be-6111-4c91-b31a-2527d956773b”
Version=“2.0”
IssueInstant=“2017-10-19T05:15:35Z”
Destination=“<a href=“https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_4/exkch8syaa6hDqAJQ0h7/slo/saml””>https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_4/exkch8syaa6hDqAJQ0h7/slo/saml"
NotOnOrAfter=“2017-10-19T05:18:35Z”
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://ExampleServiceProvider</saml:Issuer>
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>johndoe@componentspace.com</saml:NameID>
samlp:SessionIndex_dd12bdfb-f5e5-4e72-b06b-41883d338458</samlp:SessionIndex>
</samlp:LogoutRequest>



Make sure that the NameID is exactly as received in the SAML assertion.
Our recommendation is to use the high-level API wherever possible as it’s easier to use.
You need to call SAMLServiceProvider.InitiateSSO and SAMLServiceProvider.ReceiveSSO for the SSO support to be able to call SAMLServiceProvider.InitiateSLO and SAMLServiceProvider.ReceiveSLO for the SLO.