Yan, It is a wise idea to sign logout requests. This prevents a bad actor from creating false logouts. 'Validate SAML requests with signature ... ' is for the log in request.
When your client app sends a logout request to cas, does cas (as IdP) end its session with the client? Ray On Fri, 2023-09-08 at 13:18 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I have almost completed SAML delegated authN with CAS and Okta, CAS delegates to Okta, except for SLO. When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta says "invalid signature", the SAML Logout request from CAS has no signature element. See below. I verified Okta setting, Nowhere says it requires signature in Logout Request, regardless, I cannot figure out how to get CAS to sign SLO request when in delgated authN. this setting made no difference even when set. cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> This is the SLO from CAS to Okta, no signature element, I suppose that is why Okta says "Invalid Signature", but I do not know how to get Okta turn off checking, In Okta, "Validate SAML requests with signature certificates" is OFF. Ideas? thanks in advance Yan <saml2p:LogoutRequestxmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"Destination="https://dev-.......okta.com/app/dev-11........p_1/ex......7/slo/saml"ID="_2701..........ca870e07705"IssueInstant="2023-09-08T20:09:28.830Z"Version="2.0" ><saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8443/cas/samlsp</saml2:Issuer><saml2:NameIDxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >yan.......com</saml2:NameID><saml2p:SessionIndex>_4ba2......3a4b0</saml2p:SessionIndex></saml2p:LogoutRequest> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96ad7e3b201c00516e3a0f217d79facdfa4e0109.camel%40uvic.ca.