Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest - Unknown Principle in the LogoutResponse, status is not SUCCESS

Nrusimhayya Manda nrusimhayya.manda at altran.com
Fri Jul 19 03:51:39 EDT 2019 

Thanks Scott.  I changed the LogoutRequestto match the NameID from the AuthnResponse and I am still getting the same error.

I made sure the SessionIndex matches.

What am I missing?

Thanks

Naru



2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext:162] - Ignoring LogoutRequest, Subject does not require processing

2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing

2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:834] - Performing secondary lookup on service ID https://sspdev01.ustxlab.aricent.com:14782/ and key DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD

2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:856] - Secondary lookup failed on service ID https://sspdev01.ustxlab.aricent.com:14782/ and key DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD

2019-07-19 00:23:22,246 - 10.120.136.133 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest

2019-07-19 00:23:22,246 - 10.120.136.133 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: SessionNotFound

2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:173] - Error event SessionNotFound will be handled with response

2019-07-19 00:23:22,246 - 10.120.136.133 - DEBUG [org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:217] - Profile Action AddStatusResponseShell: Setting Issuer to https://TULWDEV-016:8443/idp/shibboleth



My LogoutRequest to IdP:

=========================================



<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://172.20.186.186:8443/idp/profile/SAML2/Redirect/SLO" ID="jppmihnomdchhbieddbdeajaocogonenllpgbfbh" IssueInstant="2019-07-19T07:24:49.249Z" NotOnOrAfter="2019-07-19T07:29:49.249Z" Reason="urn:oasis:names:tc:SAML:2.0:logout:user" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sspdev01.ustxlab.aricent.com:14782/</saml2:Issuer<https://sspdev01.ustxlab.aricent.com:14782/%3c/saml2:Issuer>>



<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

NameQualifier="https://TULWDEV-016:8443/idp/shibboleth"

SPNameQualifier="https://sspdev01.ustxlab.aricent.com:14782/">

DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD

</saml2:NameID>



<saml2p:SessionIndex>_c348c0c8a540baa7b5e329d02d2ec7eb</saml2p:SessionIndex>

</saml2p:LogoutRequest>



My AuthnResponse from IdP

================================================

>  <?xml version="1.0" encoding="UTF-8"?>

>  <saml2p:Response Destination="https://sspdev01.ustxlab.aricent.com:14782/Signon/saml2SsoPost" ID="_205626bf49f6b8c2f178b7bfc99c4355" InResponseTo="_e0fe4b475f623fb2614c78dfb3c93830f7392bb3" IssueInstant="2019-07-19T07:23:08.858Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://TULWDEV-016:8443/idp/shibboleth</saml2:Issuer<https://TULWDEV-016:8443/idp/shibboleth%3c/saml2:Issuer>>



<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_205626bf49f6b8c2f178b7bfc99c4355"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>q6CuRTCTRMkfKsNIJLxii+l2LqqhPR8hMwHPrywyP5o=</ds:DigestValue></ds:Reference></ds:SignedInfo>

<ds:SignatureValue> .... </ds:SignatureValue><ds:KeyInfo><ds:X509Data>

<ds:X509Certificate> .......</ds:X509Certificate>

</ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_419c0bbfab52e0c478b7ea3ce774ce2a" IssueInstant="2019-07-19T07:23:08.858Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://TULWDEV-016:8443/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_419c0bbfab52e0c478b7ea3ce774ce2a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>vmt/KKRootgw3R3nK5ZU7DARTMLmGDDzmfEwu8q5C5w=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PxBSWGSuHAjiKwb8FTp5Tjw6zv0spMojBM4BJ8OqrI0/xdDMZm/1H76XokpTeaZc1xyGQQliFAeXBPemKmaPaTvHK1R0z2fqheBDqWzMlZeRKM3Fv9y9hucwviOhpni+F/8+HzlDX710iIJrwgijT5kFajWmDR3JLlNBC6sAbZlNR+SUmz9EdIFGJxM3DXM2JVRzYJ08YEInbwB8jJduCdq/rrKWToewTtQMIHyS/cVWfj+LuUcj0Z+swVOwErUxba/i6BjaWu32XVCB9Rwalu6GxSNwRDLwXj2qEyP3TsqpwIHNvCsYKwewKCGHH/yi3FN/DgMxT+7ZCk18P3zYYLZhdwJCDa3plEJwFczPaOcbm7Oa9FE2aM44gCpo0bBy6RCkOnDB+B2NvxjF0lOjd9CvIiRapDYeYW8KRiR7c4Rk5ixHecXJoV9fIoThYi1EbMFWoK71wdDw3S21fipF+qxNhlpOxfHUdRAlMBtb3ye4BztkjCn6thfnWobyk2yG</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIESDCCArCgAwIBAgIVAOxgF0B6+kG4Ka8JoxQYLclH3RCvMA0GCSqGSIb3DQEBCwUAMCIxIDAe

  ....</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>



<saml2:Subject>

<saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

NameQualifier="https://TULWDEV-016:8443/idp/shibboleth"

SPNameQualifier="https://sspdev01.ustxlab.aricent.com:14782/">

DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD

</saml2:NameID>

<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="10.120.136.133" InResponseTo="_e0fe4b475f623fb2614c78dfb3c93830f7392bb3" NotOnOrAfter="2019-07-19T07:28:08.874Z" Recipient="https://sspdev01.ustxlab.aricent.com:14782/Signon/saml2SsoPost"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-07-19T07:23:08.858Z" NotOnOrAfter="2019-07-19T07:28:08.858Z"><saml2:AudienceRestriction><saml2:Audience>https://sspdev01.ustxlab.aricent.com:14782/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions<https://sspdev01.ustxlab.aricent.com:14782/%3c/saml2:Audience%3e%3c/saml2:AudienceRestriction%3e%3c/saml2:Conditions>>



<saml2:AuthnStatement AuthnInstant="2019-07-19T07:23:08.796Z"

SessionIndex="_c348c0c8a540baa7b5e329d02d2ec7eb">

<saml2:SubjectLocality Address="10.120.136.133"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>nmanda4</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>

====================================================================

-----Original Message-----

From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott

Sent: Thursday, July 18, 2019 3:21 PM

To: Shib Users <users at shibboleth.net>

Subject: Re: Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest - Unknown Principle in the LogoutResponse, status is not SUCCESS



** This mail has been sent from an external source **





On 7/18/19, 1:37 PM, "users on behalf of Nrusimhayya Manda" <users-bounces at shibboleth.net on behalf of nrusimhayya.manda at altran.com> wrote:



Issued:



<saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

NameQualifier="https://<IdP host>:<IdP port>/idp/shibboleth"

SPNameQualifier="https://<SP host>:<SP port>/"

xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">DZXGELUVHN5MQTFOGQTKUKZOMCVHI6UD</saml2:NameID>



Logout:



<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

NameQualifier="https://<IDP HOST>:<IDP PORT>/idp/shibboleth">nmanda4</saml2:NameID>



They don't match. SAML requires they match. That's it. Exactly what I already told the other person that asked the same question.



Format, both qualifiers, the value, all have to match.



-- Scott





--

For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=cxWN2QSDopt5SklNfbjIjg&r=F7wptRLerQ9a0RXYKPRt4ztWXLXFlZI7GFVeRHgaDQQ&m=46TIeix-EmUdKIJ1exU9kkaJlURVq2FfWH0hF7ok1kI&s=H7wkcSCE5E5nKkI8VTdU_txAl_Al0BRmptCVzbfqTRM&e=

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190719/e93464a3/attachment.html>

More information about the users mailing list