Shibboleth 3.2.1 SAML logout fails: No active session(s) found matching LogoutRequest
Rajkumar Padmanabhan
rpadmanabhan at esri.com
Mon May 23 20:08:23 EDT 2016
Hi,
In Shibboleth 3.2.1, SP initiated SAML logouts are failing and the corresponding log entry seems to indicate that it can't find an existing session to complete the logout request:
2016-05-13 16:23:29,432 - DEBUG [org.springframework.webflow.execution.ActionExecutor:49] - Executing net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest at 14151622<mailto:net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest at 14151622>
2016-05-13 16:23:29,447 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:743] - Performing secondary lookup on service ID esrisaml.maps.arcgis.com and key Publisher
2016-05-13 16:23:29,447 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:707] - Performing primary lookup on session ID e2b179524e584c8bec475f7e1025b87d063cc15dc6cc5caba8997acc3fa9b033
2016-05-13 16:23:29,447 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:607] - Loading SPSession for service esrisaml.maps.arcgis.com in session e2b179524e584c8bec475f7e1025b87d063cc15dc6cc5caba8997acc3fa9b033
2016-05-13 16:23:29,447 - DEBUG [net.shibboleth.idp.session.SPSessionSerializerRegistry:86] - Registry located StorageSerializer of type 'net.shibboleth.idp.saml.session.impl.SAML2SPSessionSerializer' for SPSession type 'class net.shibboleth.idp.saml.session.SAML2SPSession'
2016-05-13 16:23:29,447 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:269] - Profile Action ProcessLogoutRequest: IdP session e2b179524e584c8bec475f7e1025b87d063cc15dc6cc5caba8997acc3fa9b033 does not contain a matching SP session
2016-05-13 16:23:29,447 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:315] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2016-05-13 16:23:29,447 - DEBUG [org.springframework.webflow.execution.ActionExecutor:53] - Finished executing net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest at 14151622<mailto:net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest at 14151622>; result = SessionNotFound
2016-05-13 16:23:29,447 - DEBUG [org.springframework.webflow.execution.AnnotatedAction:149] - Clearing action execution attributes map[[empty]]
2016-05-13 16:23:29,447 - DEBUG [org.springframework.webflow.execution.ActionExecutor:53] - Finished executing [EvaluateAction at 27cd448c expression = ProcessLogoutRequest, resultExpression = [null]]; result = SessionNotFound
2016-05-13 16:23:29,447 - DEBUG [org.springframework.webflow.engine.Transition:214] - Executing [Transition at 51ec90a9 on = !'proceed'.equals(currentEvent.id), to = HandleError]
2016-05-13 16:23:29,447 - DEBUG [org.springframework.webflow.engine.Transition:222] - Exiting state 'DoLogoutRequest'
I've made the following changes to idp.properties:
idp.errors.signed = true
idp.session.StorageService = shibboleth.StorageService
idp.session.trackSPSessions = true
idp.session.secondaryServiceIndex = true
idp.logout.elaboration = true
Is there something missing in the SP's logout request?
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://SHIBB321.esri.com/idp/profile/SAML2/POST/SLO"
ID="_yEFwvpsoTUPIAJmF"
IssueInstant="2016-05-23T23:55:46Z"
Version="2.0"
>
<saml:Issuer>saml.mapsdevext.arcgis.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...
...
...
</Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SPNameQualifier="saml.mapsdevext.arcgis.com"
>Publisher</saml:NameID>
</samlp:LogoutRequest>
What can I do to troubleshoot this further? Below are the SAML requests and responses.
Thanks,
Raj.
Authn request
=============
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="https://saml.mapsdevext.arcgis.com/sharing/rest/oauth2/saml/signin"
Destination="https://SHIBB321.esri.com/idp/profile/SAML2/POST/SSO"
ID="_uUaPVKkdjaYffmNO"
IssueInstant="2016-05-23T23:51:01Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer>saml.mapsdevext.arcgis.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_uUaPVKkdjaYffmNO">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>4Fa9NmqWAV8aMbn+Af0s7emCcq0XG1wt7g12z7Zlbmc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>cps1...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDZ...</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>jMLcq...</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</samlp:AuthnRequest>
Authn response
==============
<saml2p:Response Destination="https://saml.mapsdevext.arcgis.com/sharing/rest/oauth2/saml/signin"
ID="_227a18d300f279e6258b454521df7134"
InResponseTo="_uUaPVKkdjaYffmNO"
IssueInstant="2016-05-23T23:51:05.564Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://SHIBB321.esri.com/idp/shibboleth</saml2:Issuer<https://SHIBB321.esri.com/idp/shibboleth%3c/saml2:Issuer>>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_583ae178095c3cae1ed2c50b53cd278e"
IssueInstant="2016-05-23T23:51:05.564Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer>https://SHIBB321.esri.com/idp/shibboleth</saml2:Issuer<https://SHIBB321.esri.com/idp/shibboleth%3c/saml2:Issuer>>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_583ae178095c3cae1ed2c50b53cd278e">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>+2KyQsb6TwJsLIBvHJtoSwgqBpFkcGyILR1lsji5PsE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>F2Yd...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
NameQualifier="https://SHIBB321.esri.com/idp/shibboleth"
SPNameQualifier="saml.mapsdevext.arcgis.com"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>Publisher</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.29.77.147"
InResponseTo="_uUaPVKkdjaYffmNO"
NotOnOrAfter="2016-05-23T23:56:05.595Z"
Recipient="https://saml.mapsdevext.arcgis.com/sharing/rest/oauth2/saml/signin"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-05-23T23:51:05.564Z"
NotOnOrAfter="2016-05-23T23:56:05.564Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>saml.mapsdevext.arcgis.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-05-23T23:51:05.517Z"
SessionIndex="_d4fabbfff1669d9c3bb7a83f9cd9c02e"
>
<saml2:SubjectLocality Address="10.29.77.147" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="givenName"
Name="givenName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>Portal Publisher</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>Publisher at esri.com</saml2:AttributeValue<mailto:Publisher at esri.com%3c/saml2:AttributeValue>>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Logout request
==============
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://SHIBB321.esri.com/idp/profile/SAML2/POST/SLO"
ID="_yEFwvpsoTUPIAJmF"
IssueInstant="2016-05-23T23:55:46Z"
Version="2.0"
>
<saml:Issuer>saml.mapsdevext.arcgis.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_yEFwvpsoTUPIAJmF">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>TdsEsM2XAhoQPkC+yr79FcU8BpsH0CtwG3Fo7266Qnw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>D4NmB...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIID...</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>jMLcq...</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SPNameQualifier="saml.mapsdevext.arcgis.com"
>Publisher</saml:NameID>
</samlp:LogoutRequest>
Logout response
================
<saml2p:LogoutResponse Destination="https://saml.mapsdevext.arcgis.com/sharing/rest/oauth2/saml/signout"
ID="_08f4232422304ca4e7f5917a0d2d9e21"
InResponseTo="_yEFwvpsoTUPIAJmF"
IssueInstant="2016-05-23T23:55:46.366Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://SHIBB321.esri.com/idp/shibboleth</saml2:Issuer<https://SHIBB321.esri.com/idp/shibboleth%3c/saml2:Issuer>>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_08f4232422304ca4e7f5917a0d2d9e21">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wFOFHYyHxFyh9DAHAJY6qjCL/V0DfnrQdCPE5XPQiNQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SCU5...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" />
</saml2p:StatusCode>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:LogoutResponse>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160524/42e8cb81/attachment-0001.html>
More information about the users
mailing list