Logout Failing - No active session(s) found matching LogoutRequest
Nate Klingenstein
ndk at signet.id
Fri Oct 22 05:45:29 UTC 2021
Gary,
You might need Scott to give a definitive response, but the NameID must strongly match, and the SessionIndex is optional. See 3.3.4 and 3.7.1.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
It could be because of a missing NameFormat; a quick look at the IdP code looks like it assumes unspecified if nothing is present and not the transient format that you're probably sending.
415 // Use the format of the original NameID to determine whether to
416 // allow the qualifiers to be defaulted. If the formats don't match
417 // the eventual check will fail anyway.
418 String format = saml2Session.getNameID().getFormat();
419 if (format == null) {
420 format = NameID.UNSPECIFIED;
421 }
https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-saml-impl/src/main/java/net/shibboleth/idp/saml/saml2/profile/impl/ProcessLogoutRequest.java;h=1019cde325e8f4b92fce32705310d6f3db01b981;hb=refs/heads/main
As it's specific to the SP in question, that's probably the issue.
Take care,
Nate
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
-----Original message-----
From: Lipscomb, Gary via users
Sent: Friday, October 22 2021, 5:23 am
To: Shib Users
Cc: Lipscomb, Gary
Subject: Logout Failing - No active session(s) found matching LogoutRequest
Hi list,
I’ve got an issue with logging out from an SP Replicon.
The IdP (v4.1.4) is reporting [1] "No active session(s) found matching LogoutRequest".
The LogoutRequest [2] from the SP
Am I correct in assuming that this is failing since the NameID element in the logout request doesn't contain the Format type as a minimum?
Does it also require the SessionIndex obtained from Authn Response?
Regards
Gary
[1] IdP log
2021-10-22 16:03:16,067 - 10.9.246.166 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:366] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2021-10-22 16:03:16,068 - 10.9.246.166 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: SessionNotFound
More information about the users
mailing list