SSO Logout Request does not contain signature as query parameter

Hello -

Similar to this topic:
https://www.componentspace.com/forums/12422/Single-logout-request-does-not-contain-signature?Keywords=Certificate%20configuration%20change%20saml.config

I’m trying to do a SSO Logout as an SP to an Okta IP (which requires the logout request to be signed, Azure AD does not). The response from Okta is an error:

An error logout response status (urn:oasis:names:tc:SAML:2.0:status:AuthnFailed) was received.

It’s rejecting the request because there is no signature. I understand that using urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding, the signature should be on the query string, but it isn’t. The query string just contains the following two parameters: SAMLRequest (which contains the unsigned SAML Logout Request) and RelayState. Why isn’t the Signature added to the query string per the topic I posted above?

Thanks,

Mike Oliver

Hi Mike,

We sign the SAML authn request if the PartnerIdentityProviderConfiguration.SignAuthnRequest flag is set to true.

For example:


“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“https://ExampleIdentityProvider”,”>https://ExampleIdentityProvider",
“SignAuthnRequest”: true,
},



Note that starting with v4.9.0 we default SignAuthnRequest to true to encourage best security practices. In earlier versions, it defaulted to false.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

Hi -
I'm referring specifically to the Logout Reqest, and I confirmed that SignLogoutRequest is set to true in the Partner Identity Provider Config. I did also try to set SignAuthnRequest to true as well, but still there is no Signature query parameter as part of the Logout Request to the IP (Okta) - just SamlRequest and RelayState. Please advise.

Thanks!

- Mike Oliver

Sorry Mike. I misread.

The same thing applies for signing the logout messages. This is controlled by the PartnerIdentityProviderConfiguration.SignLogoutRequest and PartnerIdentityProviderConfiguration.SignLogoutResponse flags.

For example:


“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“https://ExampleIdentityProvider” ,”=“”><a href=“https://ExampleIdentityProvider”,“>https://ExampleIdentityProvider”,
“SignLogoutRequest”: true,
“SignLogoutResponse”: true,
},



Note that starting with v4.9.0 we default SignLogoutRequest and SignLogoutResponse to true to encourage best security practices. In earlier versions, it defaulted to false.

If you’ve already set these flags, please email us the SAML log file.

>> If you've already set these flags, please email us the SAML log file.

Yes - all of these bools are set to true. Will enable logging and provide SAML log file. Thanks!

That’s very odd. Hopefully the log will shed some light on this. Thanks.

Hello - just to follow up on this. I did check the SAML trace logs and saw nothing w/r/t the signature. However, we also realized that the SP cert that we were loading for the SP signature was a *.cer file, which does not have a private key, just a public key. So, I believe what was happening is that without a private key, the ComponentSpace code was just skipping the signature part of the Single Logout request generation. Once we instead loaded a cert with a private key, all was well.

Thanks Mike for the update.

If the logout message is to be signed and the local certificate file is a .CER rather than a .PFX we’ll throw an exception. We won’t just skip the signature generation.

If you’d like us to investigate this you’re welcome to email a SAML log file demonstrating what you saw.

It's okay - I probably just missed the exception while I was looking through the log. In any case, the problem was using a .CER with no private key. Thanks!

- Mike

No worries. Thanks Mike.