SP SAML2 Logout

Ryan Rumbaugh rrumbaugh at nebraska.edu
Wed Apr 13 11:16:01 EDT 2016

Yes I do get alerted to the fact that the IdP session has already been removed.

72-2016-04-13 07:52:24,534 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:707] - Performing primary lookup on session ID ed124714b68dd901b73b6da0a4e71376535babda4cd5ffde19c8d515d3e77fef
73-2016-04-13 07:52:24,536 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:715] - Primary lookup failed for session ID ed124714b68dd901b73b6da0a4e71376535babda4cd5ffde19c8d515d3e77fef
74-2016-04-13 07:52:24,539 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:315] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
75:2016-04-13 07:52:24,540 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: SessionNotFound
76-2016-04-13 07:52:24,541 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:184] - Error event SessionNotFound will be handled with response
77-2016-04-13 07:52:24,542 - DEBUG [org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:217] - Profile Action AddStatusResponseShell: Setting Issuer to https://fedt.nebraska.edu/idp/shibboleth
78-2016-04-13 07:52:24,543 - DEBUG [org.opensaml.saml.common.profile.impl.AddInResponseToToResponse:110] - Profile Action AddInResponseToToResponse: Attempting to add InResponseTo to outgoing Response

After this completes the IdP redirects back to SP2 which is where I did see the IIS 505 error. I was expecting the IdP to at least send a SAML2 logout response back to the SP, but it’s simply performing a HTTP redirect. I did add the <error> tag to the shibboleth2.xml to get rid of the 505 error, but is there a way to avoid the error altogether?

Thanks again.

Ryan Rumbaugh
University of Nebraska-Central Administration
Identity & Access Management
Phone: (402) 472-0831
Mobile: (402) 304-2556

On 4/12/16, 3:32 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

>On 4/12/16, 4:12 PM, "users on behalf of Ryan Rumbaugh" <users-bounces at shibboleth.net on behalf of rrumbaugh at nebraska.edu> wrote:
>>Say, for example, I authenticate to two SP’s (SP1 & SP2) using the same IdP and then logout of SP1. After logging out, the application and SP1 sessions are removed and I am redirected to the IdP logout page which successfully removes the IdP session.
>You appear to be talking about a partial logout withoout the SLO feature in place to remove SP2's session.
>>Now, if I go to SP2, where my SP2 session is still active and click logout an error occurs on SP2. Not sure what the error is, but I get a 505 on IIS.
>I assume the IdP has responded that the LogoutRequest failed and IIS is hiding the result.
>>I realize the IdP session has already been removed in my scenario, but what I would like to happen is to have the IdP redirect back to SP2 with some response that I can check for.
>It likely did, or should have, but that should be clear from the logs on both sides.
>-- Scott
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list