Logout Failing - No active session(s) found matching LogoutRequest

Lipscomb, Gary glipscomb at csu.edu.au
Fri Oct 22 07:30:14 UTC 2021


Oops, I didn’t reply back to the list

Hi Nate,

In this instance we are sending a persistent format  nameID back.
I'm trying to convince them to include the format but it's hard. Just needed clarification.

Regards
Gary


Gary Lipscomb
Technical Officer, Systems | IT Infrastructure & Security | Division of Information Technology
Charles Sturt University


-----Original Message-----
From: Nate Klingenstein <ndk at signet.id> 
Sent: Friday, 22 October 2021 16:45
To: Shib Users <users at shibboleth.net>
Cc: Lipscomb, Gary <glipscomb at csu.edu.au>
Subject: RE: Logout Failing - No active session(s) found matching LogoutRequest

Gary,

You might need Scott to give a definitive response, but the NameID must strongly match, and the SessionIndex is optional.  See 3.3.4 and 3.7.1.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

It could be because of a missing NameFormat; a quick look at the IdP code looks like it assumes unspecified if nothing is present and not the transient format that you're probably sending.

 415             // Use the format of the original NameID to determine whether to
 416             // allow the qualifiers to be defaulted. If the formats don't match
 417             // the eventual check will fail anyway.
 418             String format = saml2Session.getNameID().getFormat();
 419             if (format == null) {
 420                 format = NameID.UNSPECIFIED;
 421             }

https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-saml-impl/src/main/java/net/shibboleth/idp/saml/saml2/profile/impl/ProcessLogoutRequest.java;h=1019cde325e8f4b92fce32705310d6f3db01b981;hb=refs/heads/main

As it's specific to the SP in question, that's probably the issue.

Take care,
Nate

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: Lipscomb, Gary via users
Sent: Friday, October 22 2021, 5:23 am
To: Shib Users
Cc: Lipscomb, Gary
Subject: Logout Failing - No active session(s) found matching LogoutRequest

Hi list,

I’ve got an issue with logging out from an SP Replicon.

The IdP (v4.1.4) is reporting [1] "No active session(s) found matching LogoutRequest".

The LogoutRequest [2] from the SP

Am I correct in assuming that this is failing since the NameID element in the logout request doesn't contain the Format type as a minimum?
Does it also require the SessionIndex obtained from Authn Response?

Regards
Gary

[1] IdP log

2021-10-22 16:03:16,067 - 10.9.246.166 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:366] - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2021-10-22 16:03:16,068 - 10.9.246.166 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: SessionNotFound


More information about the users mailing list