[IdP] [IdP] Single Signout - Can't sign out

Forge Component
(37)
Published on 4 Aug by Telmo Martins
37 votes
Published on 4 Aug by Telmo Martins

I am using the IdP component and was able to successfully configure the Single Sign-on part. I just followed the configuration but I can't logout from the application or in Okta using the single sign out. The splash screen telling that I am being logged out is shown but I always get back into the originating application.

Debugging the main app, after the IdP_SingleLogout_URL action, I was redirected to the No Permission where the IdP_SSO_URL is in so I again was logged in.

Any hints on what I need to check?

Checked that I have not made valid Logout Responses

<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse Destination="https://pordmweb01/Idp/SLO.aspx" ID="id42097145263360681942374689" InResponseTo="id_b2edbf2816544999878e0a54f9f59e4e" IssueInstant="2019-09-11T15:31:59.569Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1bm6wejLuzSxQZ357</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id42097145263360681942374689"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nCbevYV6U1mVP6t+DnarssmjtzA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>W/azWdvHjFD0QwpKQJSNOKSLgxE2fhb66OsdmuEjDZFJisCvbhmPSpQIB3gnTy9YtAhX5Cy1o58VG//UhpZ+VXLllTjyN21S5jAAZqBW1QV3verC3BjPEcq82M8708S4vIBANZc2Xjds/HViu7qy070GAiCa0wA4lgAnIPKm8e1DtcBVx9DKclyIWKuGHmmUj8erGUhsHfeb8AwDqNNVR8v/s/f5X2VTkvnu3GP9DgNheJQBPilJ/rzWUS6DdlwktCnOji8Y9H6fsk6Tn0pTCJxOA/d/YbNYOlgw/DaBYGBB4AZzmdkWh8p6ogGNTA5qf8NKolfijKQ8WKLDn47FxQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID0DCCArigAwIBAgIGAW0X3cg9MA0GCSqGSIb3DQEBCwUAMIGoMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxKTAnBgNVBAMMIGNsb3VkZGV2ZWxvcG1lbnRyZXNvdXJjZXMt
Y2hlZXNlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTE5MDkwOTIxMTAxM1oXDTI5
MDkwOTIxMTExM1owgagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEpMCcG
A1UEAwwgY2xvdWRkZXZlbG9wbWVudHJlc291cmNlcy1jaGVlc2UxHDAaBgkqhkiG9w0BCQEWDWlu
Zm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNYOCw5qcUFX3tGZF8
KkEDYQsx9If7SYyUdb2vhml09fbN/oEgOxPmraWhbPhQinQsHXtarbumFogZATeuzaHBm5VxQzHO
G9cTyhE3PNfndU6nuhltRn2ERG2yX3cv716gyziiTdQvUknw9zdwRtsYtNEr4S0EVF5QhFSdivB2
L/jBK1kyvLWG+eh2p7or1z5+4a3vdZI3ofcCma2angX7ODdn2gbSXSV7zvoDFA3vvsMnaNyEVSUG
m0NOo37T2SZpf4EG8UNzSPONWBA0/wPdl2Z4q9x3yaWPGNJ9NLFdByFjsJ8i/gLweVs1OSftCYND
FmwEc5Qv8jZmpzrftZrFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHOqPuR8G2nVhIirp/wuLzXO
hbSCOJdBMIy6mh+THaLDaFGCvIVBRtRGC4Zo1UaCoU8Ur5T4Y80i27j3LY9y0gFdKzHPngQj13OZ
vSr1faSTCOsvz2rp21AS9/COizvoMgRr6DdKvX9+6pAtAW999ApRDLTIOPbC7Eq050hE76H2rh1H
mU98chf6m80dTTgIOYZJnrnw9VhkqB0lR7ogPAE/IWsJFV9OcPRhutUqGwyKgSsz/aRrE/Adigo4
Dvuo/cTqYQdU6OmISkaKQ4HMjNlW5L9ofP7ksM2p/hkjk4VV9g8st9gzYioywbvTMvSkgib+NZYO
Oioat5Jc05mxrHo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>

So I was able to finally "logout" from the application by putting the "server/app/login.aspx" on the OriginalURL parameter of the IdP_SSO_URL. I was putting the emphasis on the logout because since I didn't really trigger a user_logout from the application, I think I am still on it. Plus, I am in the impression that when I made a request for a Single Logout, I will be logged out as well in Okta. Is this impression correct? Or do the user really need to logout as well manually in Okta after logging out of OutSystems?

After more debugging I found that I was not indeed logged out because of an error in the response and it says:

"Request timestamp not valid"

What do I need to look to for this.

I tried to debug this again and what happened?

Success false with no errors :(