OKTA: getting Invalid X509 certificate chain when Unbind with itfoxtec

Question

I am using OKTA as IDP. I am getting error on the picture

Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec

I found this article and I have the same issue, but my IDP is OKTA. How can I obtain the root certificate for OKTA?

I cannot use "CertificateValidationMode": "None" because the Checkmarx code scan indicates that it is unsafe.

Therefore, I must obtain the root certificate to resolve this issue.

Please help me, as I have been stuck for several days.

Thanks a lot.

score 1 · Answer 1 · answered May 05 '23 at 18:59

1

Okta's SAML certificates are usually self-signed ones. So it's the same certificate which you are getting when configuring SSO in Okta with a SAML app. It's a part of IdP's metadata also.

answered May 05 '23 at 18:59

Philipp Grigoryev

1,985
3
17
23

Thank you for your explanation, so what should I do next? – Walter Chen May 06 '23 at 02:16

score 1 · Answer 2 · answered May 06 '23 at 03:14

1

I have solved the problem, and the steps are as follows:

Save the X509Certificate from the IDP Metadata as a .crt file.
Import the .crt file into the root certificates of the SP.

answered May 06 '23 at 03:14

Walter Chen

21
3

score 0 · Answer 3 · answered May 08 '23 at 10:26

0

You can also disable the certificate validation to enable self-signed certificates.

In config set "CertificateValidationMode": "None" and "RevocationMode": "NoCheck".
Shown in the ASP.NET Core sample application.

answered May 08 '23 at 10:26

Anders Revsgaard

3,636
1
9
25

OKTA: getting Invalid X509 certificate chain when Unbind with itfoxtec

3 Answers3