Okta SAML SLO response status is 'RequestDenied'

时间:2018-06-28 06:53:02

标签: node.js saml saml-2.0 okta onelogin

Integrating Okta SAML Single logout(SLO) into ServiceProvider. I am trying to make SLO request in two ways. 1. HTTP Redirect binding 2. HTTP POST binding. I configured SLO in okta dashboard. Here is my HTTP Redirect binding Request:

function create_logout_request(issuer, name_id, session_index, destination) {
    var id, xml;
    id = '_' + crypto.randomBytes(21).toString('hex');
    xml = xmlbuilder.create({
        'samlp:LogoutRequest': {
            '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
            '@xmlns': 'urn:oasis:names:tc:SAML:2.0:assertion',
            '@ID': id,
            '@Version': '2.0',
            '@IssueInstant': (new Date()).toISOString(),
            '@Destination': destination,
            'Issuer': issuer,
            'NameID': {
                '@Format': 'urn:oasis:names:tc:SAML:2.0:nameidformat:emailAddress', // attributes start with @
                '#text': name_id // text node
            },
            'samlp:SessionIndex': session_index
        }
    }).end();

    return {
        id: id,
        xml: xml
    };
}
let xmlReqObj = create_logout_request(options.entity_id, options.name_id, options.session_index, idp_options.sso_logout_url);
let newXmlReq = xmlReqObj.xml.replace('<?xml version="1.0"?>', "");
let appendXmlVersion = '<?xml version="1.0" encoding="UTF-8"?>' + newXmlReq;
let input = new Buffer(appendXmlVersion);
let compressed = zlib.deflateSync(input);
var samlEncodeReq = compressed.toString('base64')
let queryStr = "SAMLRequest=" + encodeURIComponent(samlEncodeReq) + "&SigAlg=" + encodeURIComponent("http://www.w3.org/2000/09/          xmldsig#rsa-sha256") + "&RelayState=" + encodeURIComponent(options.relay_state);
let sign = crypto.createSign('RSA-SHA256');
sign.update(queryStr);
let signature = sign.sign(sp_options.private_key, 'base64');
let logout_url = idp_options.sso_logout_url + "?" + queryStr + "&Signature=" + encodeURIComponent(signature);
res.redirect(logout_url);

Here is my HTTP POST binding Request:

var html = [
    '<!DOCTYPE html>',
    '<html>',
    '<head>',
    '<meta charset="utf-8">',
    '<meta http-equiv="x-ua-compatible" content="ie=edge">',
    '</head>',
    '<body onload="document.forms[0].submit()">',
    '<noscript>',
    '<p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p>',
    '</noscript>',
    '<form method="post" id="myForm" action="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml">',
    '<input type="hidden" name="SAMLRequest" value="' + samlEncodeReq + '" />',
    '<input type="hidden" name="RelayState" value="' + options.relay_state + '" />',
    '<input type="submit" value="Submit" />',
    '</form>',
    '<script> function submitForm(){ document.getElementById("myForm").submit(); } submitForm(); </script>', 
    '</body>',
    '</html>'
    ].join('\r\n');

res.set('Content-Type', 'text/html');
res.send(html);
res.render(html);  

I got SAML Response as below

<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></saml2p:Status>

I tried with two types of SAML Logout Request xml forms. They are as below

<?xml version="1.0"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d72db96681b9f6649ae862b21f5e175e74ed7aae19" Version="2.0" IssueInstant="2018-08-03T07:14:02.548Z" Destination="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml"><Issuer>https://192.168.50.68:3000</Issuer><NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:emailAddress">csharath@lantronix.com</NameID><samlp:SessionIndex>_72507c647a10dd290a14b2991c2e88f5817b6ad332</samlp:SessionIndex></samlp:LogoutRequest>

<?xml version="1.0"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c942f734072c29dbc745e9ce764d7777b456908442" Version="2.0" IssueInstant="2018-08-03T00:53:36.607Z" Destination="https://lantronix-sharath.okta.com/app/lantronixorg730497_testsaml_1/exk5zzbhqflRfc0uM355/slo/saml"><Issuer>https://192.168.1.2:3000</Issuer><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">csharath@lantronix.com</NameID><samlp:SessionIndex>_4865368d3755a7c3a032134867bd769e1953d74790</samlp:SessionIndex></samlp:LogoutRequest>

Please help me out what is the SAML Logout request format?

1 个答案:

答案 0 :(得分:0)

您需要一个客户端SAML堆栈,例如I need a SAML stack — now!

然后与SAML身份提供商进行对话。

您打算使用哪个IDP?

所有配置完成后,堆栈将处理所有消息(SP发起),或者如果您的IDP支持它,则可以从IDP(IDP发起)开始。

更新

执行此操作的最佳方法是将两个应用程序都连接到IDP。然后验证到第一个应用程序。当您转到第二个应用程序时,IDP将使用SSO和第二个应用程序。将获得SAML令牌,而无需用户再次进行身份验证。