如何使用okta作为IDP来实现单点注销? [英] How to implement single logout using okta as IDP?
问题描述
在Okta开发人员帐户中,我已启用 SAML单一注销,并获取身份提供商单一注销URL .我使用从单次登录过程中获得的SAML响应中获得的 NameID 和 SessionIndex 创建了以下注销请求.
In Okta developer account I have enabled the SAML Single Logout and get Identity Provider Single Logout URL. I have created following logout request using NameID and SessionIndex obtained from SAML response that we get during single sign-on process.
注销请求:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://dev-6#####.oktapreview.com/app/nepasoftdev660864_spdemo_1/exk606bnr5BZOBF7z0h7/slo/saml" ID="_b2be5dbd-928a-4554-a879-25a179e36ee2" IssueInstant="2016-03-25T10:20:47Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://192.###.###.##/spdemo</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ramesh.shrestha@nepasoft.com</saml:NameID>
<samlp:SessionIndex>id1458901238038.94596883</samlp:SessionIndex>
</samlp:LogoutRequest>
我收到以下注销响应,状态码为 RequestDenied
I am getting the following Logout Response with status code RequestDenied
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:10262/Logout.aspx" ID="id1846510753301801884197562" InResponseTo="_b2be5dbd-928a-4554-a879-25a179e36ee2" IssueInstant="2016-03-25T10:22:40.389Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://192.###.###.##/spdemo</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id1846510753301801884197562">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>LQwvto+ERXvrQRUB7LOUUznSXII=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>P+T1K.....ZYvCw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID.....7zK0rH</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
</saml2p:Status>
</saml2p:LogoutResponse>
为什么获得RequestDenied身份的原因?在Okta中启用一次注销时,我是否错过了注销请求或配置错误?
Why might be the reason for getting RequestDenied status? Did i missed something on logout request or misconfigured during enabling single logout in Okta?
非常感谢.
推荐答案
您还需要签署LogoutRequest,因此您需要包括一个Signature元素(类似于您在LogoutResponse中返回的内容).
You also need to sign the LogoutRequest so you would need to include a Signature element (similar to what you are getting back in the LogoutResponse).
也就是说,我遇到了同样的问题.我已经签署了LogoutRequest,但仍收到状态为RequestDenied的LogoutResponse.
That said, I'm running into the same issue you are. I have signed my LogoutRequest but am still getting a LogoutResponse with status RequestDenied.
我确实找到了该线程( https://support.okta.com/help/Okta的支持页面上的answer?id = 906F0000000I07YIAS )指示注销不支持HTTP-重定向绑定,因此您可能需要HTTP-Post.我还没有尝试过.
I did find this thread (https://support.okta.com/help/answers?id=906F0000000I07YIAS) on Okta's support page which indicates that the HTTP-Redirect binding is not supported for logout so you may need to you HTTP-Post. I've not tried that yet.
这篇关于如何使用okta作为IDP来实现单点注销?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
