Request signing with Okta as IDP

mamacdon-sm · November 22, 2022, 9:02pm

I’ve created an enterprise SAML connection in Auth0, using Okta as the IDP. Authentication works fine. Now I want to set up request signing.

I’ve enabled Sign Request in Auth0. I can see Signature and SigAlg being sent along with the SAMLRequest.

In Okta, I uploaded my tenant’s signing cert (obtained from https://<MY_TENANT_DOMAIN>/pem).

But when signature validation is enabled, login transactions immediately fail with Unknown configuration or configuration not supported.

If I disable signature validation on Okta’s side, login works again. So obviously Okta doesn’t like something about my signed SAMLRequest.

I verified the signature using Validate SAML AuthN Request Online Tool | SAMLTool.com and it’s correct.

Has anyone successfully configured this?

karson.alford · January 3, 2023, 2:46pm

Dealing with the exact same issue. Did you find a resolution?

I can’t find any other details about this error. What is the next step for debugging this?

Looks like many others are having this issue:
https://support.okta.com/help/s/question/0D54z00008LSLMsCAP/saml-signed-requests-failing-with-error-code-400-sp-initiated-sso-flow?language=en_US

What is the timeline for resolving this?

mamacdon-sm · January 23, 2023, 11:34pm

I have not solved it. I’ve been working around this by disabling signature validation in Okta

karson.alford · January 24, 2023, 10:34pm

You must include the Format attribute on the NameIdPolicy node and the Format value has to match the configuration for your application in Okta.

Applications > “Your Application” > General > Edit (SAML Settings) > Next > Scroll to Bottom

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">

To Fix The Issue:
We are using ComponentSpace and you can’t set the Format prior to calling InitiateSsoAsync. You can only set it when the OnAuthnRequestCreated event occurs.

_samlServiceProvider.Events.OnAuthnRequestCreated += (context, request) =>
{
    request.NameIDPolicy.Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
    return request;
};

konrad.sopala · January 26, 2023, 11:07am

Thanks for sharing it with the rest of community!

karson.alford · January 26, 2023, 5:33pm

[From Okta Support]

From what I have been told by our team in terms of Documentation.

This particular function is not something that will be made public. In our public documentation we include general information about how to setup apps that work with us. We do not include advanced details such as how our backed checks are made and what they are, so we do not have any public facing doc which highlights this.

If App Vendors are interested to integrate their applications with us they should be working with our oinmanager.okta.com team where these types of details are usually discussed.

system · February 9, 2023, 5:33pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.