Okta SAML Integration with Signed Requests

Knowledge Articles
, , , , ,
1

Last Updated: Sep 24, 2024

Overview

When attempting to use a SAML connection pointed at Okta to authenticate users into the Delegated Admin Extension or any Auth0 as SP > Okta as IdP setup using signed requests, a 400 Bad Request error is received.

Error seen after SAML request is sent if there is no Okta session:

/error/400_SAML?stateToken=

Screenshot 2024-09-24 at 18.21.49
Screenshot 2024-09-24 at 18.21.493414×1722 239 KB

On the Okta side, the Validate SAML request is enabled.

Steps to reproduce de error:

  1. Set up an Okta SAML application using the SAML Integration Wizard. Download Okta signing cert from Sign on tab > Settings > More details > Signing certificate.
  2. Create a SAML Enterprise connection in Auth0 and upload Okta signing cert, turn on sign requests, download signing cert pem file from “certificate” link provided in dashboard (https://<YOUR_DOMAIN>/pem?cert=connection)
  3. In Okta SAML App Settings, show Advanced Settings > Signed Requests > Tick “Validate SAML requests with signature certificates” > upload the Auth0 signing cert pem file.
  4. Attempt to log in on SAML enterprise connection - there will be a redirect to an Okta-based OAuth2 flow and end up on the portal if there is no session with Okta, or a 400 Bad Request SAML Error will be shown.

Applies To

  • SAML Connection
  • Enterprise Connection
  • 400 Bad Request Error

Solution

In order to work with Okta SAML applications using the “Validate SAML requests with signature certificates” option, an AssertionConsumerServiceURL and NameIDPolicy must be added to the SAML AuthnRequest template for the relevant SAML Connection for Okta to accept the SAML request as valid. The “Name ID Format” setting should also match the NameIDPolicy (“Unspecified” in this case).

In addition, check that the Auth0 SAML connection has “Sign Request” enabled.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@AssertServiceURLAndDestination@@
    AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@"
    ID="@@ID@@"
    IssueInstant="@@IssueInstant@@"
    ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>