241
Views
16
Comments
Solved
[IdP] Okta IdP integration: "UNABLE TO PROCESS REQUEST"
Question
Forge component by Rui Barbosa
43
Published on 07 Oct 2020

Hello,

When I set up our application in Okta, I get 

UNABLE TO PROCESS REQUEST

Unable to process SAML Logout response message

This occurs after logging in.  For some reason it seems like it is trying to log out.  I attached the SAML response for your review.


The error logged is: "ResponseId was not previous registered."


I'm not sure what I'm doing wrong.

Thank you

response_saml.xml

Staff
Rank: #42
Solution

Hi Daniel,

Yes. and from OKTA perspective it's the ACS URL.

If the okta version that you are using supports the importation of a SP xml metadata file, you can download that SP xml in the IdP component and import it on Okta and should be fine.
Otherwise, you should be able to set the ACS URL manually to SSO.aspx on OKTA configuration console,


Regards

Staff
Rank: #42

Hi Daniel,

The message content it's regarding a "LoginResponse", however it's seems that it's being sent to the IdP connector "LogoutEndpoint" instead of ACS ("LoginResponse") endpoint.

Please review the configuration on IdP server end, to send the Assertion to the correct URL. Ie, instead of .../IdP/SLO.aspx, it should be sent to .../IdP/SSO.aspx


Regards

Staff
Rank: #42
Solution

Hi Daniel,

Yes. and from OKTA perspective it's the ACS URL.

If the okta version that you are using supports the importation of a SP xml metadata file, you can download that SP xml in the IdP component and import it on Okta and should be fine.
Otherwise, you should be able to set the ACS URL manually to SSO.aspx on OKTA configuration console,


Regards

Staff
Rank: #42

Hi Daniel,

At least in the version I used it's here (Attribute Statements).


Then just make sure to map the Name with the same value on the IdP configurator (Claims configuration)

Regards

Staff
Rank: #42

Hi Andy,

The configuration seems fine. However the print-screens you posted regarding debugging in Service Studio are before the login request is send to Okta.

So, you are redirected to okta and after login on OKTA you are redirected to ServiceCenter, is that it?
Or you are never redirected to OKTA to perform login?

From your configuration Okta definitely should sent the message for SSO.aspx, which in fact is the IdP screen.

From the browser developer tools can you confirm to exactly which URL Okta is redirecting the browser.


Regards   

Staff
Rank: #42

Hi Andy,

Yes, you need to go the IdP connector configuration and activate the flag/checkbox to allow IdP-intitiated logins. It's on the third tab.


Regards.

 

Staff
Rank: #42

Hi Andy,

Did not fully understood your first question. If it works via application (SP initiated login, it should also work fine for IdP initiated login. However in an IdP initiated login IdP may not know to where redirect the browser. Kindly check the help message near the checkbox for that configuration: "When activated will allow IdP Server Initiated login, ie, without the need of previouly this connector sends an Authn SAML message. When activated most probably you also want to configure a "Login Default URL""

Meaning that without a "Login Default URL" configured (on the same third tab) the browser most probably will be redirected for "/" URL, which in your installation must being redirected for the service center.  

Regarding the second question, the Single IdP should be enough for all your applications (including multi tenant scenarios).

The use case that in fact it's not supported to use the same IdP application, is when your applications have different UserProviders (the UserProvider of IdP connector must be the same of the applications that rely on it).


Regards

Staff
Rank: #42

Hi Andy,

Regarding the second question, basically you have two applications in OutSystems, and each one need to use a different IdP Single Sign on URL on OKTA? That use case it's only supported OOB in a multi tenant scenario, meaning that you need a tenant for each application. If you need to use both application on the same tenant the IdP component does not support multiple IdP issuer/SP issuers for the same tenant.

On the other hand, if you need that this two applications must be in different user providers, you need to clone IdP, and two IdP installations, one for each user provider.


Regards

Staff
Rank: #42

Hi Daniel,

Didn't understand your use case, the Login default URL applies for web apps (not mobile apps). In a web app after the login the browser will be redirected to the Login default URL (if defined). Usually for SP-initiated login no need to define it for the most use cases. For IdP mobile, the app it-self which includes the SAMLLogin WB is the responsible to redirect the user to the desired screen after receive the event LoginSuccess.

For that screenshot above, using the latest version of both components, the action InAppBrowserOnLoadStart inside SamlLogin WB should be triggered and close automatically the InApp browser.


Regards