Integrating Okta SAML Single logout(SLO) into ServiceProvider. I am trying to make SLO request in two ways. 1. HTTP Redirect binding 2. HTTP POST binding. I configured SLO in okta dashboard. Here is my HTTP Redirect binding Request:
function create_logout_request(issuer, name_id, session_index, destination) {
var id, xml;
id = '_' + crypto.randomBytes(21).toString('hex');
xml = xmlbuilder.create({
'samlp:LogoutRequest': {
'@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
'@xmlns': 'urn:oasis:names:tc:SAML:2.0:assertion',
'@ID': id,
'@Version': '2.0',
'@IssueInstant': (new Date()).toISOString(),
'@Destination': destination,
'Issuer': issuer,
'NameID': {
'@Format': 'urn:oasis:names:tc:SAML:2.0:nameidformat:emailAddress', // attributes start with @
'#text': name_id // text node
},
'samlp:SessionIndex': session_index
}
}).end();
return {
id: id,
xml: xml
};
}
let xmlReqObj = create_logout_request(options.entity_id, options.name_id, options.session_index, idp_options.sso_logout_url);
let newXmlReq = xmlReqObj.xml.replace('<?xml version="1.0"?>', "");
let appendXmlVersion = '<?xml version="1.0" encoding="UTF-8"?>' + newXmlReq;
let input = new Buffer(appendXmlVersion);
let compressed = zlib.deflateSync(input);
var samlEncodeReq = compressed.toString('base64')
let queryStr = "SAMLRequest=" + encodeURIComponent(samlEncodeReq) + "&SigAlg=" + encodeURIComponent("http://www.w3.org/2000/09/ xmldsig#rsa-sha256") + "&RelayState=" + encodeURIComponent(options.relay_state);
let sign = crypto.createSign('RSA-SHA256');
sign.update(queryStr);
let signature = sign.sign(sp_options.private_key, 'base64');
let logout_url = idp_options.sso_logout_url + "?" + queryStr + "&Signature=" + encodeURIComponent(signature);
res.redirect(logout_url);
Here is my HTTP POST binding Request:
var html = [
'<!DOCTYPE html>',
'<html>',
'<head>',
'<meta charset="utf-8">',
'<meta http-equiv="x-ua-compatible" content="ie=edge">',
'</head>',
'<body onload="document.forms[0].submit()">',
'<noscript>',
'<p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p>',
'</noscript>',
'<form method="post" id="myForm" action="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml">',
'<input type="hidden" name="SAMLRequest" value="' + samlEncodeReq + '" />',
'<input type="hidden" name="RelayState" value="' + options.relay_state + '" />',
'<input type="submit" value="Submit" />',
'</form>',
'<script> function submitForm(){ document.getElementById("myForm").submit(); } submitForm(); </script>',
'</body>',
'</html>'
].join('\r\n');
res.set('Content-Type', 'text/html');
res.send(html);
res.render(html);
I got SAML Response as below
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></saml2p:Status>
I tried with two types of SAML Logout Request xml forms. They are as below
<?xml version="1.0"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d72db96681b9f6649ae862b21f5e175e74ed7aae19" Version="2.0" IssueInstant="2018-08-03T07:14:02.548Z" Destination="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml"><Issuer>https://192.168.50.68:3000</Issuer><NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:emailAddress">csharath@lantronix.com</NameID><samlp:SessionIndex>_72507c647a10dd290a14b2991c2e88f5817b6ad332</samlp:SessionIndex></samlp:LogoutRequest>
<?xml version="1.0"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c942f734072c29dbc745e9ce764d7777b456908442" Version="2.0" IssueInstant="2018-08-03T00:53:36.607Z" Destination="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml"><Issuer>https://192.168.1.2:3000</Issuer><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">csharath@lantronix.com</NameID><samlp:SessionIndex>_4865368d3755a7c3a032134867bd769e1953d74790</samlp:SessionIndex></samlp:LogoutRequest>
Please help me out what is the SAML Logout request format?
答案 0 :(得分:0)
您需要一个客户端SAML堆栈,例如I need a SAML stack — now!。
然后与SAML身份提供商进行对话。
您打算使用哪个IDP?
所有配置完成后,堆栈将处理所有消息(SP发起),或者如果您的IDP支持它,则可以从IDP(IDP发起)开始。
更新
执行此操作的最佳方法是将两个应用程序都连接到IDP。然后验证到第一个应用程序。当您转到第二个应用程序时,IDP将使用SSO和第二个应用程序。将获得SAML令牌,而无需用户再次进行身份验证。