Error No active session(s) found matching LogoutRequest

rodolfos · July 25, 2019, 3:25am

Hello, I’m getting this error when I trying to perform a logout from my SP web.

No active session(s) found matching LogoutRequest

I already read all the other related post here and none of them has really help me.

I’m sending in the logout request the same NameID and SessionIndex from SAML Response. Also, I’ve configured the audience with my issuer.

I’m not able to figure out where is my problem. These are my request and responses.

SAML Login Request:

<?xml version="1.0"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:3000/api/saml/acs"
    Destination="https://dev-8h026noe.auth0.com/samlp/DHi2C2RCMqZkDNboN3miDSz52a8jrzSR"
    ID="_adb75250104ce17c4ed8" IssueInstant="2019-07-25T03:08:25.264Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:moofwd:v2</saml:Issuer><samlp:NameIDPolicy AllowCreate="true"
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>
    <samlp:RequestedAuthnContext Comparison="exact" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Saml Login Response:

<samlp:Response Destination="http://localhost:3000/api/saml/acs" ID="_7e8f7334c17dde42cf35"
    InResponseTo="_adb75250104ce17c4ed8" IssueInstant="2019-07-25T03:08:45Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:auth0dev-8h026noe</saml:Issuer>
    <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <saml:Assertion ID="_F9f7raIV1ZyIogJXjYYEQqeqTE3V9Zfz" IssueInstant="2019-07-25T03:08:45.947Z"
        Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer>urn:auth0dev-8h026noe</saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#_F9f7raIV1ZyIogJXjYYEQqeqTE3V9Zfz">
                    <Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>4Dq7Y+lkaQccOFJs6eU1/MXqqSg=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>cJ6o9JknxE2yi....SiCBr7Er3g2hnJw9+toyQYoTZ7x3Ug==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIDBzC..../RqmsrndgYtT54c=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|5d31edc168b68a0dbc11b3aa</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_adb75250104ce17c4ed8"
                NotOnOrAfter="2019-07-25T04:08:45.947Z" Recipient="http://localhost:3000/api/saml/acs"/></saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2019-07-25T03:08:45.947Z" NotOnOrAfter="2019-07-25T04:08:45.947Z">
            <saml:AudienceRestriction>
                <saml:Audience>http://localhost:3000/</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2019-07-25T03:08:45.947Z"
            SessionIndex="_07XnTRlT07Lb2po0Z9LiNiyxGLlmcrkD">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier">
                <saml:AttributeValue xsi:type="xs:anyType">auth0|5d31edc168b68a0dbc11b3aa</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <saml:AttributeValue xsi:type="xs:anyType">web@moofwd.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <saml:AttributeValue xsi:type="xs:anyType">web@moofwd.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
                <saml:AttributeValue xsi:type="xs:anyType">web@moofwd.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider">
                <saml:AttributeValue xsi:type="xs:anyType">auth0</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection">
                <saml:AttributeValue xsi:type="xs:anyType">Username-Password-Authentication</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial">
                <saml:AttributeValue xsi:type="xs:anyType">false</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/email_verified">
                <saml:AttributeValue xsi:type="xs:anyType">false</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/clientID">
                <saml:AttributeValue xsi:type="xs:anyType">DHi2C2RCMqZkDNboN3miDSz52a8jrzSR</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/updated_at">
                <saml:AttributeValue xsi:type="xs:anyType">Thu Jul 25 2019 03:08:45 GMT+0000 (UTC)</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/picture">
                <saml:AttributeValue xsi:type="xs:anyType">https://s.gravatar.com/avatar/1842aa0a50262b362d9e134bda5704dc?s=480&amp;r=pg&amp;d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fwe.png</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/nickname">
                <saml:AttributeValue xsi:type="xs:anyType">web</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.auth0.com/created_at">
                <saml:AttributeValue xsi:type="xs:anyType">Fri Jul 19 2019 16:20:17 GMT+0000 (UTC)</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

SAML Logout Request:

<?xml version="1.0"?>
<samlp:LogoutRequest
    Destination="https://dev-8h026noe.auth0.com/samlp/DHi2C2RCMqZkDNboN3miDSz52a8jrzSR/logout"
    ID="_6e120d8da804c99168aa" IssueInstant="2019-07-25T03:09:03.952Z" Version="2.0"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:moofwd:v2</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|5d31edc168b68a0dbc11b3aa</saml:NameID>
    <saml2p:SessionIndex xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">_07XnTRlT07Lb2po0Z9LiNiyxGLlmcrkD</saml2p:SessionIndex>
</samlp:LogoutRequest>

Settings Add on:

{
  "audience": "urn:moofwd:v2",
  "recipient": "http://localhost:3000/api/saml/acs",
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "destination": "http://localhost:3000/api/saml/acs",
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "logout": {
    "callback": "http://localhost:3000/api/saml/slo",
    "slo_enabled": false
  },
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}

I’m using passport-saml package where my strategy is:

export const samlStrategy = new SamlStrategy(
  {
    path: '/api/saml/acs',
    logoutCallbackUrl: 'http://localhost:3000/api/saml/slo',
    issuer: 'urn:moofwd:v2',
    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    entryPoint: 'https://dev-8h026noe.auth0.com/samlp/DHi2C2RCMqZkDNboN3miDSz52a8jrzSR',
    logoutUrl: 'https://dev-8h026noe.auth0.com/samlp/DHi2C2RCMqZkDNboN3miDSz52a8jrzSR/logout',
    cert: fs.readFileSync('config/dev-8h026noe.pem').toString(),
  },
  function(profile: any, done: any) {
    done(null, {
      sessionIndex: profile.sessionIndex,
      id: profile.nameID,
      nameID: profile.nameID,
      nameIDFormat: profile.nameIDFormat
    });
  }
);

Regards.

rodolfos · July 30, 2019, 6:46pm

Hi,

I’m come back to reply my solution in this. I’m not sure what was the problem but I’ve created a new app in Auth0 and just enabled SAML add on. Previously I had enabled SAML and ADFS, and I was unable to disable ADFS (switch button).

Regards.