I'm getting a 400 Bad Request error with the message "Bad SAML Request" when I attempt to send a LogOut request from my site. I'm quite new to this, so it's well possible that I'm not sending the correct information to the IdP, but I need some guidance.
Here's the intial authentication request:
https://sts-development.mysite.net/?inst=signIn"
Destination="https://mysite.oktapreview.com/app/mysitedev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml"
ForceAuthn="false" ID="_827b87ab-5120-4e45-af08-9f0c972e68f4" IsPassive="false"
IssueInstant="2019-03-04T17:04:51.08Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts-development.mysite.net<samlp:NameIDPolicy AllowCreate="true"/>
The response:
<?xml version="1.0" encoding="UTF-8"?>
https://sts-development.mysite.net/?inst=signIn"
ID="id154512471317294631563558805" InResponseTo="_827b87ab-5120-4e45-af08-9f0c972e68f4"
IssueInstant="2019-03-04T17:05:03.920Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkjlgid0cDQMDyoa0h7
">http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:DigestMethod Algorithm="">http://www.w3.org/2001/04/xmlenc#sha256"/>
lIlniGkXsMA6qayYMPgNkvGONhBTQ8ArP14y9yliY50=
BnAWGhAMkS4VGionmJXhAVUpc/f7FGWE0qReMmNP3Y1X3OBJoG9weotYWwRDiOoKAkkUz3Bn91+x0GBgZBufl+TpJltHT5TVjIUnOhJD4azi9yvjmU80wlopI4paui3QduYy+h+EUHhUfO0D22l5GD3KqGvdhiT0TUzyC7hi91JFN/YHDcA8205M96WWUJgkt2O+qkzZaf6gipkFD32bfiSV6mWLIfz6W9AgF2cr26MINqgplerz9Y7dxMS+HODGPjKwhosLr22wvq/Pq1O7ZfPEr9lcOioea4COrORT7ugsgmhNjSuGQh3qrk64dQGqZLf5zxjpfl5dktJ8nisNfA==
...
<saml2:Assertion ID="id15451247131816753424882046" IssueInstant="2019-03-04T17:05:03.920Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkjlgid0cDQMDyoa0h7
">http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:DigestMethod Algorithm="">http://www.w3.org/2001/04/xmlenc#sha256"/>
yO9GKOJ0oeekd9D9U+kVZ8uxrr6NCkW4dKKO39/xOio=
OfvL1fNbHv6aD2PToK5fOosgQ6aNQb/5AHdr6Utwr8m9qY2lj137LHoEYFmVul6CUu9UFQ2+6R03mRm6zp/nV6lBlvJoh0e7kdt/ONOvG4iJKUMc9CYhpM/A7ddsPktmEQ6EjR1T0Rh9DNhSXSFBq5mspZZtEOjxNztDGz3dUmyTIYLRExdKp4st66ATT1bY72VqZEf6gB/Ovy1Hv4+dFYPR/mS2dRhEMqLafQ5SOSd9KAdAG6UxWW8LMbH0PFBjTiG2Y6+MvjTVn0ppfx/1SuzNsLYq41BaSfVSgEhxYnFafqQb/Gta6NYyXywdKll/0vSCnCTv4OYuDsQ6qEouxA==
...
user@mysite.net
<saml2:SubjectConfirmationData InResponseTo="_827b87ab-5120-4e45-af08-9f0c972e68f4"
NotOnOrAfter="2019-03-04T17:10:03.920Z" Recipient="">https://sts-development.mysite.net/?inst=signIn"/>
<saml2:Conditions NotBefore="2019-03-04T17:00:03.920Z" NotOnOrAfter="2019-03-04T17:10:03.920Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://sts-development.mysite.net
<saml2:AuthnStatement AuthnInstant="2019-03-04T17:05:03.920Z"
SessionIndex="_827b87ab-5120-4e45-af08-9f0c972e68f4"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
And the signout request I'm sending:
<samlp:LogoutRequest
Destination="https://mysite.oktapreview.com/app/mysitedev642155_vimagodevelopment_1/exkjlgid0cDQMDyoa0h7/sso/saml"
ID="_47081fdd-8052-42a3-8b1c-da03dde155c6" IssueInstant="2019-03-04T17:07:23.39Z"
NotOnOrAfter="2019-03-04T17:08:23.39Z" Reason="SP Logout" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts-development.mysite.net
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">user@mysite.net
What may be causing the bad request in the LogoutRequest I'm sending?
Please note that the sign-in works fine, and that I've enabled logout on Okta.