Hi,
I need help to do sign out using the IDP. I am facing the following error message every time I logout.
The SAML Message log is the following
And when I did debug the IDP application, on the error arises from DoSLOLogout / Preparation, when creating SAML Logout Request xml.
Does anyone face the same issue and solve it?
Regards
Yudi
Hi @Yudi Gemi Sutanto Tjong ,
The error "Invalid provider type specified" usually means that the cryptographic service provider (CSP) specified by the PFX file doesn’t support SHA-256 signatures. This most likely is from the AutoGenerated Keystore.Unfortunately, I suspect that has to do with the server configuration, and I have yet to replicate the error in order to prevent that from happening in the future.In the meantime, you should be able to validate if that is the case and if it is, perform some steps to fix the Keystore file.To validate this, please do the following
In the IdP app, on the configuration that has the error under "SP Connector and Claims" Authentication, Download the KeyStore by clicking the keystore name.Once downloaded, open a command prompt and enter the following command command
Enter the password when requested ( for auto generated files the password is the value on the downloaded keystone after the last underscore "_".
If the output says "Provider = Microsoft Enhanced RSA and AES Cryptographic Provider" the keystore is correct.If that is not the case, you will need to convert it to a new file that uses the correct provider.
1 - Start by converting the keystore from PKCS12 to PEM format. When it was asked, be ready to provide the password used for protecting the private key (it should be the same password used on the certutil validation)
openssl pkcs12 -in <your keystore file>.p12 -out keystore.pem2. Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.
openssl pkcs12 -export -in keystore.pem -out newkeystore.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
3. Now you can verify the CSP in the new PFX file with the CertUtil command again.
certutil -dump newkeystore.p12 You should see a line saying:Provider = Microsoft Enhanced RSA and AES Cryptographic ProviderRegards,
Hi João Barata,
Thank you for replying. But I am struggling to convert the provider right now. The cert is as follow for my case:
When I did the second step that you recommend to extract the cert. I face the following:
However prior to try your solution, I did the following:1. Change the HTTP-POST to HTTP-REDIRECT. By changing to HTTP-REDIRECT, it will go through the following code in the extension and SAML_CreateLogoutRequest becoming no issue.
2. However, I faced the next issue
To solve this currently after reading this solution https://www.outsystems.com/forums/discussion/76294/unable-to-create-saml-signature-on-azuread-sso-logout-using-idp/
I did the following as recommended by the discussion
After doing it, it seems the logout has no issue. But I think I still not satisfy because when I do logout, the app will automatically login without the need to login from Okta sso login page. I notice, it seems that the logout process in Okta is not properly done by looking at the Okta System Log and IDP SAML message also gives invalid Logout response (see the pic below).
Any input?
I managed to follow your suggestion and everything works now. There is also a slight mistake on my part when applying public cert in OKTA, I am using the wrong one.Thank you for your help.
Regards,
Yudi Gemi Sutanto Tjong
Hi Yudi,Are you able to share the input parameters that you are passing to the SAML_CreateLogOutRequest (you can blank out the sensitive parts of the information)Kind regards
Thibaut