SLO failure after 15 minutes - SessionNotFound

Wed Sep 25 10:46:40 EDT 2019

Hello,

  I am using IdP version 3.4.4 and have problems with single logout.
Everything works nicely first 15 minutes, then logout ends with error - SessionNotFound

I would be thankfull for any help and will gladly provide any data necessery.

  Matej Zagiba

Here are non-default settings from idp.proprties:

idp.additionalProperties= /conf/saml-nameid.properties, /conf/services.properties
idp.entityID= https://idp.uniba.sk/idp/shibboleth
idp.scope= uniba.sk
idp.cookie.secure = true
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
idp.storage.htmlLocalStorage = true
idp.session.StorageService = shibboleth.ClientPersistentStorageService
idp.session.timeout = PT60M
idp.session.slop = P1D
idp.session.trackSPSessions = true
idp.session.secondaryServiceIndex = true
idp.session.defaultSPlifetime = P1D
idp.authn.flows= Password|RemoteUserInternal
idp.authn.flows.initial = Password|RemoteUserInternal
idp.authn.defaultLifetime = PT60M
idp.authn.defaultTimeout = PT45M
idp.consent.allowGlobal = false
idp.consent.allowPerAttribute = true
idp.logout.elaboration = true
idp.ui.fallbackLanguages= en,fr,de

here are logs:
2019-09-25 15:21:38,860 - DEBUG [PROTOCOL_MESSAGE:127] -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
     AssertionConsumerServiceURL="https://ais2auth-vyvoj.science.upjs.sk/commonauth"
     Destination="https://idp.uniba.sk/idp/profile/SAML2/POST/SSO"
     ForceAuthn="false" ID="_39cbbf043d1fb17016b7040d7be65a0e"
     IsPassive="false" IssueInstant="2019-09-25T13:21:37.134Z"
     Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
     <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">AIS2VYVOJSP</samlp:Issuer>
     <ds:Signature
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
                 Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
                 Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
                         URI="#_39cbbf043d1fb17016b7040d7be65a0e">
<ds:Transforms>
<ds:Transform
                         Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
                     Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>FuDexgYkA17zotCDddKS6r3hnf9T/yPapMGqOmVQf9U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Oo3bTfnEDq8Etit6fVxJac4pO4J7tp0jVUkJq+dnwltRCLajVnyp/i/k9rIFQ7wbCFI9D23zuye1
+O7gS15NRtRd+QfKgd7gyrNRVykI1QhdRDvyZ16p4OheyzOcnyeNGVMJX89zm8Uc46M4vzBwksEY
TcwH7E36gmiYLLLFz4Jpfs0svxhpqFjxI60sC6AXanxvvDyAbjHsZUHsQMIttJSG4OARszsbnrc9
MS7tLFkJkJ0ptZDhtud8QrZDHbn+THytC0A22RssfL+KHvnrjoI6Um1tia5R4FgEoYspyzJnNX/S
/OYwqX87OoLeBpXYP1sS1D0HD9co2UKoo2wXfw==
</ds:SignatureValue>
</ds:Signature>
     <saml2p:RequestedAuthnContext Comparison="exact" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
         <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
     </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

...

2019-09-25 15:21:51,543 - DEBUG [PROTOCOL_MESSAGE:131] - Profile Action EncryptAssertions: Response before assertion encryption:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="_f4be1e34c3505be8a4f7f5a73d200589"
     InResponseTo="_39cbbf043d1fb17016b7040d7be65a0e"
     IssueInstant="2019-09-25T13:21:51.209Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.uniba.sk/idp/shibboleth</saml2:Issuer>
     <saml2p:Status>
         <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </saml2p:Status>
     <saml2:Assertion ID="_6c5ed95a008edd61cf6c9e6e0899c8f0"
         IssueInstant="2019-09-25T13:21:51.209Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
         <saml2:Issuer>https://idp.uniba.sk/idp/shibboleth</saml2:Issuer>
         <saml2:Subject>
             <saml2:NameID
                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                 NameQualifier="https://idp.uniba.sk/idp/shibboleth"
                 SPNameQualifier="AIS2VYVOJSP" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQx+CqCPtl5V1m8t8n2Zy0CUJuq5OJfPLRW0gkqzuLhxlvgCLa4NWwdvxA/HUNgkjn8IsWVvUC1XhhIgPRTQO7l3P4V4d4fs31f8R/l4llpu0Im</saml2:NameID>
             <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <saml2:SubjectConfirmationData Address="37.58.1.1"
                     InResponseTo="_39cbbf043d1fb17016b7040d7be65a0e"
                     NotOnOrAfter="2019-09-25T13:26:51.353Z" Recipient="https://ais2auth-vyvoj.science.upjs.sk/commonauth"/>
             </saml2:SubjectConfirmation>
         </saml2:Subject>
         <saml2:Conditions NotBefore="2019-09-25T13:21:51.209Z" NotOnOrAfter="2019-09-25T13:26:51.209Z">
             <saml2:AudienceRestriction>
                 <saml2:Audience>AIS2VYVOJSP</saml2:Audience>
             </saml2:AudienceRestriction>
         </saml2:Conditions>
         <saml2:AuthnStatement AuthnInstant="2019-09-25T13:21:50.335Z" SessionIndex="_f83bb986123c54719d6f8b13a3b2f2c5">
             <saml2:SubjectLocality Address="37.58.1.1"/>
             <saml2:AuthnContext>
                 <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
             </saml2:AuthnContext>
         </saml2:AuthnStatement>
         <saml2:AttributeStatement>
             <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml2:AttributeValue
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">aaa bbb</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute FriendlyName="uid"
                 Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml2:AttributeValue
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">aaa</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute FriendlyName="o" Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml2:AttributeValue
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Univerzita Komenského v Bratislave</saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute FriendlyName="eduPersonTargetedID"
                 Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml2:AttributeValue>
                     <saml2:NameID
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                         NameQualifier="https://idp.uniba.sk/idp/shibboleth" SPNameQualifier="AIS2VYVOJSP">+rzprCauIXbnIoHbjqbgLG0/WYw=</saml2:NameID>
                 </saml2:AttributeValue>
             </saml2:Attribute>
             <saml2:Attribute FriendlyName="mefaPerson"
                 Name="http://www.mefanet.cz/mefaperson/" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml2:AttributeValue
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue>
             </saml2:Attribute>
         </saml2:AttributeStatement>
     </saml2:Assertion>
</saml2p:Response>

...

2019-09-25 15:43:02,982 - DEBUG [PROTOCOL_MESSAGE:127] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
     Destination="https://idp.uniba.sk/idp/profile/SAML2/POST/SLO"
     ID="_4dbb6a3b39822dc8c4074f89b0910be1"
     IssueInstant="2019-09-25T13:43:01.353Z"
     NotOnOrAfter="2019-09-25T13:48:01.353Z" Reason="Single Logout"
     Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AIS2VYVOJSP</saml2:Issuer>
     <ds:Signature
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
                 Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
                 Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
                         URI="#_4dbb6a3b39822dc8c4074f89b0910be1">
<ds:Transforms>
<ds:Transform
                         Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
                     Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ofcbpatLp9xDluIE22wnL8KP2Z9oySVHfHdI+9f9bx8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gllpDb4M6RDTZaffG9/dNIPlVEWMYms3AYJfD92kwyT4CFJ9c1WTfBD26fgFO2i6z5NMGpjqb1mM
5G4EAUKdi6okP3bMgTK2DaEuc5icKYKVWH+QwUHSp+1kyxD3ppKAAyvbkHgfod7xDkvA14aWMcnv
3jY15iObsYCZjM49drp8oUgkNkUljR7Obfv9NVv5NJXPdpPcqZK8zDnbYPqh4ledKYy2B3U4agUS
i/Pk9PMBiYL6VYae8i8Dzb/opDHRRmFB6vNwJuPupdSTHue4Ib3NoKIo+47Xc3YrUxxTBtJLDrRC
U2ipIjhlC38JogPR+qjYgrtYkg3HlTUOQ9dmkQ==
</ds:SignatureValue>
</ds:Signature>
     <saml2:NameID NameQualifier="https://idp.uniba.sk/idp/shibboleth"
         SPNameQualifier="AIS2VYVOJSP" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQx+CqCPtl5V1m8t8n2Zy0CUJuq5OJfPLRW0gkqzuLhxlvgCLa4NWwdvxA/HUNgkjn8IsWVvUC1XhhIgPRTQO7l3P4V4d4fs31f8R/l4llpu0Im</saml2:NameID>
     <saml2p:SessionIndex>_f83bb986123c54719d6f8b13a3b2f2c5</saml2p:SessionIndex>
</saml2p:LogoutRequest>

...

2019-09-25 15:43:03,206 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:136] - Message Handler:  Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}LogoutRequest

...

2019-09-25 15:43:03,333 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:834] - Performing secondary lookup on service ID AIS2VYVOJSP and key AAdzZWNyZXQx+CqCPtl5V1m8t8n2Zy0CUJuq5OJfPLRW0gkqzuLhxlvgCLa4NWwdvxA/HUNgkjn8IsWVvUC1XhhIgPRTQO7l3P4V4d4fs31f8R/l4llpu0Im
2019-09-25 15:43:03,333 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:798] - Performing primary lookup on session ID a6d9308f8a1409674bab558cf400d45a2089ee6c7d44aef37dbdebd145ace0ae
2019-09-25 15:43:03,336 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:615] - Loading SPSession for service AIS2VYVOJSP in session a6d9308f8a1409674bab558cf400d45a2089ee6c7d44aef37dbdebd145ace0ae
2019-09-25 15:43:03,337 - DEBUG [net.shibboleth.idp.session.SPSessionSerializerRegistry:86] - Registry located StorageSerializer of type 'net.shibboleth.idp.saml.session.impl.SAML2SPSessionSerializer' for SPSession type 'class net.shibboleth.idp.saml.session.SAML2SPSession'
2019-09-25 15:43:03,339 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:356] - Profile Action ProcessLogoutRequest: IdP session a6d9308f8a1409674bab558cf400d45a2089ee6c7d44aef37dbdebd145ace0ae does not contain a matching SP session
2019-09-25 15:43:03,340 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2019-09-25 15:43:03,353 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: SessionNotFound
2019-09-25 15:43:03,354 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:173] - Error event SessionNotFound will be handled with response

...

2019-09-25 15:43:03,456 - DEBUG [PROTOCOL_MESSAGE:70] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse
     Destination="https://ais2auth-vyvoj.science.upjs.sk/commonauth"
     ID="_09705201a05340e8e5a5905062ea28c9"
     InResponseTo="_4dbb6a3b39822dc8c4074f89b0910be1"
     IssueInstant="2019-09-25T13:43:03.363Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.uniba.sk/idp/shibboleth</saml2:Issuer>
     <saml2p:Status>
         <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
             <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
         </saml2p:StatusCode>
         <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
     </saml2p:Status>
</saml2p:LogoutResponse>