Logout SAML Error message v3

David Langenberg davel at uchicago.edu
Sat Jan 17 00:17:32 EST 2015 

It's also saying this:

2015-01-16 22:15:30,519 - DEBUG
[net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] -
Profile Action ExtractSubjectFromRequest: No Subject NameID or
NameIdentifier in message

Perhaps something screwy with the SP?

Dave


On Fri, Jan 16, 2015 at 10:16 PM, David Langenberg <davel at uchicago.edu>
wrote:

> Set both of those to true (restarted Jetty, cleared browser), still
> getting:
>
> 2015-01-16 22:15:30,695 - ERROR
> [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:314] -
> Profile Action ProcessLogoutRequest: Error resolving matching session(s)
> net.shibboleth.utilities.java.support.resolver.ResolverException:
> Secondary service index is disabled
> at
> net.shibboleth.idp.session.impl.StorageBackedSessionManager.resolve(StorageBackedSessionManager.java:569)
>
> and my SAML Error sent back to SP.
>
> Dave
>
> On Fri, Jan 16, 2015 at 10:08 PM, Tom Zeller <tzeller at dragonacea.biz>
> wrote:
>
>>
>>
>> On Jan 16, 2015, at 11:04 PM, Tom Zeller <tzeller at dragonacea.biz> wrote:
>>
>>
>>
>> On Jan 16, 2015, at 10:23 PM, David Langenberg <davel at uchicago.edu>
>> wrote:
>>
>> I have v3 with a fairly default setup.  When I initiate a logout request
>> at an SP, the result is a SAML Error being returned to the SP.  I see in
>> the logs the logout flow activated and then this:
>>
>> 2015-01-16 21:09:42,364 - DEBUG
>> [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65]
>> - Profile Action SelectProfileInterceptorFlow: Moving completed flow
>> intercept/security-policy/saml2-slo to completed set, selecting next one
>> 2015-01-16 21:09:42,365 - DEBUG
>> [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80]
>> - Profile Action SelectProfileInterceptorFlow: No flows available to choose
>> from
>> 2015-01-16 21:09:42,378 - DEBUG
>> [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149]
>> - Profile Action InitializeOutboundMessageContext: Initialized outbound
>> message context
>> 2015-01-16 21:09:42,411 - DEBUG
>> [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:367]
>> - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve
>> endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}SingleLogoutService
>> for outbound message
>> 2015-01-16 21:09:42,420 - DEBUG
>> [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:409]
>> - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at
>> location https://sp.training.incommon.org/Shibboleth.sso/SLO/Redirect
>> using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
>> 2015-01-16 21:09:42,465 - DEBUG
>> [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:304]
>> - Profile Action PopulateEncryptionParameters: Encryption for assertions
>> (false), identifiers (true), attributes(false)
>> 2015-01-16 21:09:42,467 - DEBUG
>> [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:314]
>> - Profile Action PopulateEncryptionParameters: Resolving
>> EncryptionParameters for request
>> 2015-01-16 21:09:42,468 - DEBUG
>> [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:376]
>> - Profile Action PopulateEncryptionParameters: Adding entityID to
>> resolution criteria
>> 2015-01-16 21:09:42,469 - DEBUG
>> [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:387]
>> - Profile Action PopulateEncryptionParameters: Adding role metadata to
>> resolution criteria
>> 2015-01-16 21:09:42,471 - DEBUG
>> [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:330]
>> - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters
>> 2015-01-16 21:09:42,535 - DEBUG
>> [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] -
>> Profile Action ExtractSubjectFromRequest: No Subject NameID or
>> NameIdentifier in message
>> 2015-01-16 21:09:42,596 - ERROR
>> [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:314] -
>> Profile Action ProcessLogoutRequest: Error resolving matching session(s)
>> net.shibboleth.utilities.java.support.resolver.ResolverException:
>> Secondary service index is disabled
>> at
>> net.shibboleth.idp.session.impl.StorageBackedSessionManager.resolve(StorageBackedSessionManager.java:569)
>>
>> Any thoughts on what I may be doing wrong, or should I take this over to
>> JIRA?
>>
>>
>> There's two session properties in conf/idp.properties that need to be
>> turned true, IIRC. Secondary index and something else nearby.
>>
>>
>> Maybe the other property, besides secondary index, is track sessions.
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150116/a9afd3ad/attachment.html

More information about the users mailing list