[cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?

Fri, 08 Sep 2023 14:03:10 -0700 

Hi,

I have almost completed SAML delegated authN with CAS and Okta, CAS 
delegates to Okta, except for SLO. 

When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but 
Okta says "invalid signature", the SAML Logout request from CAS has no 
signature element. See below.  

I verified Okta setting, Nowhere says it requires signature in Logout 
Request,  regardless, I cannot figure out how to get CAS to sign SLO 
request when in delgated authN. this setting made no difference even when 
set. 

cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true

<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

This is the SLO from CAS to Okta, no signature element, I suppose that is 
why Okta says "Invalid Signature", but I do not know how to get Okta turn 
off checking, In Okta, "Validate SAML requests with signature certificates" 
is OFF.

Ideas?  thanks in advance

Yan

<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
Destination=
"https://dev-.......okta.com/app/dev-11........p_1/ex......7/slo/saml"; ID=
"_2701..........ca870e07705" IssueInstant="2023-09-08T20:09:28.830Z" Version
="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://localhost:8443/cas/samlsp</saml2:Issuer> <saml2:NameID xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >yan.......com</
saml2:NameID> <saml2p:SessionIndex>_4ba2......3a4b0</saml2p:SessionIndex> </
saml2p:LogoutRequest>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24badbd3-7615-4ff8-9395-b3f4a3f70437n%40apereo.org.

Reply via email to