Okta SAML Integration with Signed Requests

Problem statement

We are getting 400 bad request errors when attempting to use a SAML connection pointed at Okta, to be used to authenticate users into the Delegated Admin Extension or any Auth0 as SP → Okta as IdP setup using signed requests.

Symptoms

Error seen after SAML request is sent if there is no Okta session:

/error/400_SAML?stateToken=

If the user has an Okta session, a 400 error is shown to the user:


Okta side has signed SAML requests enabled (Validate SAML request enabled).

Steps to reproduce

  • Set up an Okta SAML application using the SAML Integration Wizard. Download Okta signing cert from Sign on tab > Settings > More details > Signing certificate
  • Create a SAML Enterprise connection in Auth0 and upload Okta signing cert, turn on sign requests, and download signing cert pem file from the “certificate” link provided in the dashboard (https://<YOUR_DOMAIN>/pem?cert=connection)
  • In Okta SAML App Settings, show advanced settings > Signed Requests > Tick validate SAML requests with signature certificates, upload Auth0 signing cert pem file.
  • Attempt to log in on SAML enterprise connection, you will be redirected to an Okta-based OAuth2 flow and end up on the portal if you have no session with Okta, or you will be shown a 400 Bad request SAML Error.

Troubleshooting

https://support.okta.com/help/s/question/0D54z00008LSLMsCAP/saml-signed-requests-failing-with-error-code-400-sp-initiated-sso-flow?language=en_US

Attempted to perform SAML connection setup with Okta, however when requests signatures are validated by Okta, the SAML is rejected, but only after authentication.

Solution

In order to work with Okta SAML applications using the “Validate SAML requests with signature certificates” option, an AssertionConsumerServiceURL and NameIDPolicy must be added to the SAML AuthnRequest template for the relevant SAML Connection in order for Okta to accept the SAML request as valid. The “Name ID Format” setting should match with the NameIDPolicy as well (“Unspecified” in this case).
In addition, check that the Auth0 SAML connection has “Sign Request” enabled.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@AssertServiceURLAndDestination@@ 
    AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@"
    ID="@@ID@@"
    IssueInstant="@@IssueInstant@@"
    ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
  </samlp:NameIDPolicy>
</samlp:AuthnRequest>