Logout Issue "Secondary lookup failed on service ID"

Lukas Hämmerle lukas.haemmerle at switch.ch
Wed Mar 1 12:06:05 EST 2017


Hello

We are testing IDP SLO (3.2.1) against another SAML implementation
(Kentor) but this does not seem to work as expected.

After getting the Logout Request from the SP the IdP logs:

DEBUG - Performing secondary lookup on service ID
https://campus-management.crealogix.com/CLX.Evento/AuthServices/ and key
o1hGEruBwBsZdNBkaBJRX4d6X5o=
DEBUG - Secondary lookup failed on service ID
https://campus-management.crealogix.com/CLX.Evento/AuthServices/ and key
o1hGEruBwBsZdNBkaBJRX4d6X5o=
DEBUG - Profile Action ProcessLogoutRequest: No active session(s) found
matching LogoutRequest
WARN - An error event occurred while processing the request: SessionNotFound


and then issues a SAML LogoutResponse with:

<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>


However, that secondary key was used in the SAML assertion issued for
that SP in the NameID:


<saml2:NameID
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
  NameQualifier="https://test.eduid.ch/idp/shibboleth"
SPNameQualifier="https://campus-management.crealogix.com/CLX.Evento/AuthServices/">o1hGEruBwBsZdNBkaBJRX4d6X5o=</saml2:NameID>


So, it seems that the IdP should have that ID somewhere. Anybody has a
clue what goes wrong here? Could it be that this is related to
idp.session.StorageService = shibboleth.ClientSessionStorageService
(Cookie based storage)?


Best Regards
Lukas


-- 
SWITCH
Lukas Hämmerle, Central Solutions arch and Service Providers
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch

30 years of pioneering the Swiss Internet. Celebrate with us at
https://swit.ch/30years



More information about the users mailing list