SLO problem IdP v.3.4.6

Kai Zimmer zimmer at bbaw.de
Fri Jul 17 16:29:20 UTC 2020 

Hi Scott,

thanks a lot for your hints.

On 16.07.2020 19:35, Cantor, Scott wrote:
>> SLO never being practical anyway notwithstanding, most issues amount to NameID mismatches between the
>> LogoutRequest and the original Assertion, so that's missing the core comparison you need to debug via the log.

I did that, her's the output. I'm not an expert, but it looks to me like 
there is no mismatch between in the NameID in the original assertion and 
the NameID in the LogoutRequest. So there is a problem with the 
StorageService of the IdP? I switched it to Client side Browser cookies 
- it makes no difference, i still get 'SessionNotFound' errors?


Snippet from original assertion:

<saml2:NameID

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

NameQualifier="https://login.bbaw.de/idp/shibboleth"

SPNameQualifier="https://nubes.bbaw.de/apps/user_saml/saml/metadata" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">QJYMXBYIIYQAGZOZ6GG2BAG6RSXSCJAV</saml2:NameID>


Snippet 1 from idp-warn.log:

2020-07-17 17:50:30,916 - xxx.xxx.xxx.xxx - WARN 
[org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:74] 
- Ignoring NameIDFormat metadata that includes the 'unspecified' format


Snippet  from LogoutRequest:

<samlp:LogoutRequest

Destination="https://my.idp.test/idp/profile/SAML2/Redirect/SLO"

ID="ONELOGIN_94ecab58dc3fafa70f7d2baa9ad228b410c857af"

IssueInstant="2020-07-17T15:55:34Z" Version="2.0"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<saml:Issuer>https://my.sp.test/apps/user_saml/saml/metadata</saml:Issuer>

<saml:NameID>QJYMXBYIIYQAGZOZ6GG2BAG6RSXSCJAV</saml:NameID>

<samlp:SessionIndex>_76e2634663397d200cd25430a40f3810</samlp:SessionIndex>

</samlp:LogoutRequest>


Snippet 2 from idp-warn.log:

2020-07-17 17:55:35,088 - xxx.xxx.xxx.xxx - WARN 
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event 
occurred while processing the request: SessionNotFound


Best regards,

Kai

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200717/90afb924/attachment.htm>

More information about the users mailing list