Occasional Logout Failure due to missing session

[Cantor, Scott]

There are any number of reasons sessions can be gone, all the IdP knows is it's gone. Client side sessions and a changing IP address are all it really takes to reproduce pretty easily. You also have the problem that most IdPs don't do single logout, so a logout by one SP will simply orphan the sessions at all the rest and their attempt to logout later will always cause this error.

> Anyone any ideas what might be causing this / where to look at the SP side? 

There's nothing you could look at, it's not on the SP side.

> And what we can do to improve user experience?

If you figure that out, you'll be the first I know of.

> I would love to provide a custom error page for this case, but since the response does not contain any details to identify
> this particular issue, hiding all errors from "logout" processes via SP error handling seems like a bad idea.

All you know is it failed and the problem is that no user is going to understand that concept. That doesn't change what happened. The best the SP can do is allow redirection to handle the error, I certainly wouldn't use the built-in templates, but there's not much else it can do.

This is the only case the SP ever gets control back from a logout, so in effect if you have to do anything at all, you basically are talking about an error. A successful logout has to end up at the IdP.

I can't exactly recall what the Shibboleth IdP does when the asynchronous option is used and an error happens, but I suspect that will probably result in an equally bad error page at the IdP end instead.

-- Scott