No active session(s) found matching LogoutRequest

Eze Ikonne ike.ikonne at altran.com
Thu Jul 18 01:40:35 EDT 2019 

Hi Nate,

I tried the suggestions that you made in my earlier post, but I am still getting the same error message from the Shibboleth SAML IDP. Here is the LogoutRequest from the SP and the corresponding LogoutResponse from the IDP:

LogoutRequest (SP)

<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://xxx.xxx.xxx.xxx:8443/idp/profile/SAML2/Redirect/SLO"
ID="olipijnbmbhmogmhdommbninnkoloibgmlgdlkle"
IssueInstant="2019-07-18T04:36:25.659Z"
NotOnOrAfter="2019-07-18T04:41:25.659Z"
Reason="urn:oasis:names:tc:SAML:2.0:logout:user"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx.xxx.xxx.com:14782/</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
NameQualifier="https://xxx.xxx.xxx.xxx:8443/idp/shibboleth">nmanda4</saml2:NameID>
<saml2p:SessionIndex>_5db1c6d5e62dded721ecfcec89e227a4</saml2p:SessionIndex>
</saml2p:LogoutRequest>

LogoutResponse (IDP)

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse Destination="https://xxx.xxx.xxx.xxx:14782/Signon/saml2SloPost"
ID="_f72a752f20f60ea3a6d2ab77b7a3e5ca"
InResponseTo="olipijnbmbhmogmhdommbninnkoloibgmlgdlkle"
IssueInstant="2019-07-18T04:35:00.573Z" V
ersion="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx.xxx.xxx.xxx:8443/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_f72a752f20f60ea3a6d2ab77b7a3e5ca">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rrvhmQ5gPb/kFvUzLmWgKmdsS87Q1Z7c77q18EN/KRU=</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxx </ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data><ds:X509Certificate>
  XXXXXXXXXXXX
</ds:X509Certificate></ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
</saml2p:StatusCode>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:LogoutResponse>

Snippet from IDP process Log

2019-07-17 21:35:00,510 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:211] - Profile Action PopulateSignatureSigningParameters: Signing enabled
2019-07-17 21:35:00,510 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:194] - Message Handler:  Signing enabled
2019-07-17 21:35:00,510 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:207] - Message Handler:  Resolving SignatureSigningParameters for request
2019-07-17 21:35:00,510 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:220] - Message Handler:  Found existing SecurityParametersContext to copy from
2019-07-17 21:35:00,526 - 10.120.136.133 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:274] - Profile Action PopulateEncryptionParameters: Inbound logout message, nothing to do
2019-07-17 21:35:00,541 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext:162] - Ignoring LogoutRequest, Subject does not require processing
2019-07-17 21:35:00,541 - 10.120.136.133 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2019-07-17 21:35:00,557 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:834] - Performing secondary lookup on service ID https://xxx.xxx.xxx.xxx:14782/ and key nmanda4
2019-07-17 21:35:00,557 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:856] - Secondary lookup failed on service ID https://xxx.xxx.xxx.xxx:14782/ and key nmanda4
2019-07-17 21:35:00,557 - 10.120.136.133 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2019-07-17 21:35:00,573 - 10.120.136.133 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: SessionNotFound
2019-07-17 21:35:00,573 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:173] - Error event SessionNotFound will be handled with response


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Nate Klingenstein
Sent: Wednesday, July 17, 2019 1:47 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: No active session(s) found matching LogoutRequest

** This mail has been sent from an external source **


Note also that you'll need a StorageService compatible with LogoutRequest messages.  I suspect that might be where you're stuck.

https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_LogoutConfiguration-23LogoutConfiguration-2DSAMLLogout&d=DwICAg&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=bGpVknJ4AfwQU7jlf6r8EGPKVhcdIvPd0pU6p8QEHew&s=t65PtCUXp2iZrDgOPkZAXiFh87GfsNIujjmLnzKO-Oo&e=
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=bGpVknJ4AfwQU7jlf6r8EGPKVhcdIvPd0pU6p8QEHew&s=6tSfbJsLR0PE32hTBT0frGI1TpzuKNIFwiVsHjlMLAA&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================

More information about the users mailing list