Occasional Logout Failure due to missing session
jakub.danek at yoso.fi
Wed Nov 25 15:13:04 UTC 2020
We have been trying to track down the source of an occasional problem with
logout (SLO) our users have been experiencing. We are in control of SP
(Shibboleth 3.0.4). The IDP is provided by a 3rd party, from the single log
they shared with us it seems they are running a Shibboleth IDP installation.
The problem: once upon a time, the IDP responds with error to logout
request, with a message like this one:
<?xml version="1.0" encoding="UTF-8"?>
> <saml2p:LogoutResponse Destination="
> IssueInstant="2019-09-16T12:23:40.328Z" Version="2.0"
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
The log from IDP says the following:
2020-11-19 11:42:14,061 - INFO
> [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] -
> Profile Action ProcessLogoutRequest: No active session(s) found matching
We have confirmed with testing that the problem is not directly tied to
session timeout of either SP or IDP. Sometimes it happens to users who try
to logout couple minutes after the login. In general we haven't been able
to find a way to reliably reproduce it. Most of the time, the SLO works as
Anyone any ideas what might be causing this / where to look at the SP side?
And what we can do to improve user experience? I would love to provide a
custom error page for this case, but since the response does not contain
any details to identify this particular issue, hiding all errors from
"logout" processes via SP error handling seems like a bad idea.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users