SAML 登出失败: 发行者不匹配 (NodeJS + Okta)
原标题:SAML Logout fails: Issuer does not match (NodeJS + Okta)
I am trying to do a logout with SAML with Okta as my IdP. I am getting "Issuer does not match" in Okta logs:
I have already setup single logout:
With the cert uploaded being my SP public key.
Code wise:
const config = require( ../../app/config )
const saml = require( saml2-js )
module.exports = {
sp: new saml.ServiceProvider({
entity_id: `${config.HOSTNAME}/saml/assert`,
private_key: config.SAML_SP_PRIVATE_KEY,
certificate: config.SAML_SP_PUBLIC_KEY,
assert_endpoint: `${config.HOSTNAME}/saml/assert`,
allow_unencrypted_assertion: true,
sign_get_request: true
}),
idp: new saml.IdentityProvider({
sso_login_url: config.SAML_SSO_LOGIN_URL,
sso_logout_url: config.SAML_SSO_LOGOUT_URL,
certificates: config.SAML_SSO_IDP_CERT,
sign_get_request: true
})
}
And the logout function:
if (!req.signedCookies.token) {
res.status(400).send( Missing token )
return
}
const tokenData = await jwtVerify(req.signedCookies.token, config.AUTH_SECRET)
const options = {
name_id: tokenData.name_id,
session_id: tokenData.session_id,
sign_get_request: true
}
const createLogoutRequestUrl = util.promisify(sp.create_logout_request_url).bind(sp)
const logoutUrl = await createLogoutRequestUrl(idp, options)
res.redirect(logoutUrl)
问题回答
OK found my mistakes:
My SP entity_id should be the metadata URL
entity_id: `${config.HOSTNAME}/saml/metadata`,
The config should be reflected in okta too:
According to the documentation at https://help.okta.com/en-us/content/topics/apps/apps_single_logout.html
SP Issuer — the identifier for the application. This can be an ACS URL or the SP Entity ID. This value is also included in the metadata sent in the SLO request from the SP application.
Therefore, the entity_id parameter must match the value reported in the SP Issuer in Okta configuration.
In your response, you point out the Audience Restriction parameter and mention the metadata URL, but in reality, it can be any string that identifies your SP; it just happens to work in your case because they match.
相关问题
GitHub SAML SSO ( cloud enterprise)
I wanted to integrate GitHub saml sso for the project. I have a custom IDP and from the SP initiated saml flow, like getting to the https://github.com/orgs/ORG-NAME/sso and then sso getting successful,...
SAML 2.0 assertion response URL for Ping Federate 6.1 service provider
A supplier uses Ping Federate for SAML-based single sign-on. I ve got some custom SAML 2.0 code which implements a rudimentary identity provider. I m doing IDP-initiated SSO with URL and HTTP Post. ...
SAML Request - Declare Multiple Protocol Bindings
I have implemented a SAML Service Provider to support Single Sign On for an ASP.Net web portal, which is a shrink-wrap software configured on clients sites and must be able to interact with any SAML-...
Can I use Sun s OpenSSO Apache WebAgent to integrate to a CA SiteMinder Policy Server?
The official Web Agents user documentation does not state what version of SAML is supported. I am trying to integrate this with a Policy Server that is not running Sun s OpenSSO policy server, so my ...
understanding Shibboleth and SAML
I have a Drupal site I am standing up for a client.
I ve been asked to use Single Sign on using SAML2 (where I would be the service provider and my client would be the identity provider).
The best ...
Generate SAML 1.1 (and possibly 2.0) assertions
I m looking for a very easy and quick way to generate some SAML assertions. This is only going to be used for testing (using SOAP UI). So I just need something that can generate a valid assertion, ...
Implementing SSO with SAML and JBoss
I want to implement SSO with SAML tokens in JBossAS.
The scenario is as follows.
I have 2 applications app1 and app2 running on 2 JBoss instances.
Login into app1 and enter username / password ...
Accepting a SAML 1.1 Assertion
I am working on providing a SSO solution to a customer who acts as an identity provider. He already has Siteminder on his side to generate SAML 1.1 assertions with user id and timestamp as parameters. ...
