Logout Failing - No active session(s) found matching LogoutRequest

Lipscomb, Gary glipscomb at csu.edu.au
Fri Oct 22 07:30:14 UTC 2021

Oops, I didn’t reply back to the list

Hi Nate,

In this instance we are sending a persistent format  nameID back.
I'm trying to convince them to include the format but it's hard. Just needed clarification.


Gary Lipscomb
Technical Officer, Systems | IT Infrastructure & Security | Division of Information Technology
Charles Sturt University

-----Original Message-----
From: Nate Klingenstein <ndk at signet.id> 
Sent: Friday, 22 October 2021 16:45
To: Shib Users <users at shibboleth.net>
Cc: Lipscomb, Gary <glipscomb at csu.edu.au>
Subject: RE: Logout Failing - No active session(s) found matching LogoutRequest


You might need Scott to give a definitive response, but the NameID must strongly match, and the SessionIndex is optional.  See 3.3.4 and 3.7.1.


It could be because of a missing NameFormat; a quick look at the IdP code looks like it assumes unspecified if nothing is present and not the transient format that you're probably sending.

 415             // Use the format of the original NameID to determine whether to
 416             // allow the qualifiers to be defaulted. If the formats don't match
 417             // the eventual check will fail anyway.
 418             String format = saml2Session.getNameID().getFormat();
 419             if (format == null) {
 420                 format = NameID.UNSPECIFIED;
 421             }


As it's specific to the SP in question, that's probably the issue.

Take care,

Signet, Inc.
The Art of Access ®


-----Original message-----
From: Lipscomb, Gary via users
Sent: Friday, October 22 2021, 5:23 am
To: Shib Users
Cc: Lipscomb, Gary
Subject: Logout Failing - No active session(s) found matching LogoutRequest

Hi list,

I’ve got an issue with logging out from an SP Replicon.

The IdP (v4.1.4) is reporting [1] "No active session(s) found matching LogoutRequest".

The LogoutRequest [2] from the SP

Am I correct in assuming that this is failing since the NameID element in the logout request doesn't contain the Format type as a minimum?
Does it also require the SessionIndex obtained from Authn Response?


[1] IdP log

2021-10-22 16:03:16,067 - - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:366] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2021-10-22 16:03:16,068 - - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: SessionNotFound

More information about the users mailing list