Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest - Unknown Principle in the LogoutResponse, status is not SUCCESS

Thu Jul 18 13:36:44 EDT 2019

I am getting the above error in the IdP log processing the LogoutRequest sent to it by our SP.
Few variations I tried which did not make a difference.
Thanks for your help.
Naru
idp.session.StorageService = shibboleth.StorageService
#idp.session.StorageService = shibboleth.ClientPersistentStorageService   (tried this as well did not make a difference)
idp.session.timeout = PT60M
idp.slop.session = PT0S
idp.session.trackSPSessions = true
idp.session.secondaryServiceIndex = true
idp.session.defaultSPlifetime = PT2H

relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://<SP host>:<SP port>/">
            <property name="profileConfigurations">
                <list>
                              <bean parent="SAML2.SSO" p:encryptAssertions="false" p:postAuthenticationFlows="attribute-release" />
                              <ref bean="SAML2.Logout" />
                                                                                <ref bean="SAML2.AttributeQuery" />
                                                                                <ref bean="SAML2.ArtifactResolution" />
                 </list>
            </property>
        </bean>

Sp-metasata.xml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2029-07-12T08:51:55Z" cacheDuration="PT604800S" entityID="https://<SP host>:<SP port>/">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate> ...... </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>  ....  </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
   <!-- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<SP host>:<SP port>/Signon/saml2SloRedirect"/>-->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<SP host>:<SP port>/Signon/saml2SloPost"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<SP host>:<SP port>/Signon/saml2SsoPost" index="60"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

DEBUG [org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext:162] - Ignoring LogoutRequest, Subject does not require processing
2019-07-17 19:15:10,849 - 10.120.136.133 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2019-07-17 19:15:10,865 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:834] - Performing secondary lookup on service ID https://<SP host>:<SP port>/ and key nmanda4
2019-07-17 19:15:10,865 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:856] - Secondary lookup failed on service ID https://<SP host>:<SP port>/ and key nmanda4
2019-07-17 19:15:10,865 - 10.120.136.133 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest

I am listing below sections of AuthnRequest(from SP), AuthnResponse(from IdP), LogoutRequest(to IdP) and LogoutResponse(from IdP):
samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_fdcc75e859484f469e9a8b73d30de18d7f272938" Version="2.0"
IssueInstant="2019-07-17T22:04:27.761Z"
Destination="https://<Idp host>:8443/idp/profile/SAML2/Redirect/SSO"
AssertionConsumerServiceIndex="60">
<saml:Issuer>https://<SP<https://%3cSP> host>:<SP port>/</saml:Issuer>
</samlp:AuthnRequest>
<saml2p:Response Destination="https://<SP host>:<SP port>/Signon/saml2SsoPost" ID="_e6d44f8582dc118a4f58d625a57574a5" InResponseTo="_c9136f5fc30073528407418ed0fed6315c73bd48" IssueInstant="2019-07-17T22:03:21.549Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<Idp<https://%3cIdp> host>:<IdP port>/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_e6d44f8582dc118a4f58d625a57574a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>E/7q6EydZkIOlFeRVhUk9FnzyOU+THqenIbJFnNrvYQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>....... </ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate> cert data ....</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="_189b9bb9bae5af19441957cf0665919b" IssueInstant="2019-07-17T22:03:21.549Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://<Idp<https://%3cIdp> host>:<IdP port>/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_189b9bb9bae5af19441957cf0665919b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>eqGfHSjU8GU7bNQ2AB8vaet2VVIl8sNhzOmQzMKODqA=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>......... </ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> .......</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

<saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://<IdP host>:<IdP port>/idp/shibboleth"
SPNameQualifier="https://<SP host>:<SP port>/"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.120.136.133"
InResponseTo="_c9136f5fc30073528407418ed0fed6315c73bd48"
NotOnOrAfter="2019-07-17T22:08:21.596Z"
Recipient="https:// <SP host>:<SP port>/Signon/saml2SsoPost"/>
</saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-07-17T22:03:21.549Z" NotOnOrAfter="2019-07-17T22:08:21.549Z">
<saml2:AudienceRestriction><saml2:Audience>https:// <SP host>:<SP port>/</saml2:Audience>
</saml2:AudienceRestriction></saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-07-17T22:03:21.455Z"
SessionIndex="_b5338de14f09b9671729470b9562b35b"><saml2:SubjectLocality Address="1.2.3.4"/>
<saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>nmanda4</saml2:AttributeValue></saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://<IdP host>:<IdP port>/idp/profile/SAML2/Redirect/SLO"
ID="olipijnbmbhmogmhdommbninnkoloibgmlgdlkle"
IssueInstant="2019-07-18T04:36:25.659Z"
NotOnOrAfter="2019-07-18T04:41:25.659Z"
Reason="urn:oasis:names:tc:SAML:2.0:logout:user"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<SP host>:<SP port>/</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
NameQualifier="https://<IDP HOST>:<IDP PORT>/idp/shibboleth">nmanda4</saml2:NameID>   { tested with adding the SP Name Qualifier (https://<SP<https://%3cSP> host>:<SP port>/) as well did not make a difference}
<saml2p:SessionIndex>_5db1c6d5e62dded721ecfcec89e227a4</saml2p:SessionIndex>
</saml2p:LogoutRequest>
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse Destination="https://<SP host>:<SP port>/Signon/saml2SloPost"
ID="_f72a752f20f60ea3a6d2ab77b7a3e5ca"
InResponseTo="olipijnbmbhmogmhdommbninnkoloibgmlgdlkle"
IssueInstant="2019-07-18T04:35:00.573Z" V
ersion="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<IDP HOST>:<IDP PORT>/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_f72a752f20f60ea3a6d2ab77b7a3e5ca">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rrvhmQ5gPb/kFvUzLmWgKmdsS87Q1Z7c77q18EN/KRU=</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PZLaYtU9DQv3Md4vnlT6UHeycGHSgnhM9c6bR1XlQrxrhNTw4yAx1YA8MNflwgNlgBgaCRh7j7Jn08QucgHPLEhMK2+FFUCo/5Cd+ZwVreKiFQ16RN18bYk7ckpnP8juNlVU5CPb5+H+USe0bZfRsHtsT2ZTwFUUrjciTC2itdEKAnOWkNepzFmra8/y76z0Zn/kdHIQJ+hOlBlvm7eo+f55zClCO/fO6Y197O03ipxLp1KzFx4lAkz4HpfyKqMT4bUQ0amgYVbbXYGHjWUV5jxxI3LguAhlJSjbzTuDeqA0sPUc60pfuWqEuV3kczp8Kws3nDIgj1BT8XHGnRwvVL7PSDIprOeyxk7wJF8oCZTr69yH58n/ECygyt+KrlTuSHxank0274fHbMc0kAll14FDuM1zsYd+VGlAD09+ntm/eRxxOvVFnOVloQnb6A1KLxi84/QSj7R1Stp4YurWL1x6F8oUGE0xyb7Y855vF1WQ4vGxNF8eSMCAksJjle70</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data><ds:X509Certificate> ... </ds:X509Certificate></ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
                <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
                <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
                </saml2p:StatusCode>
                <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
                </saml2p:Status>
</saml2p:LogoutResponse>
=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190718/03c48c52/attachment.html>