Getting "No active session(s) found matching LogoutRequest" when trying to do logout request with SAML

Help
,
1

I’m getting the above error when submitting a LogoutRequest. The LogoutRequest is shown below:

<LogoutRequest Version="2.0" IssueInstant="2018-11-28T03:21:08Z" ID="id88cbb3c694bd4958bded1628123e33d3" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:sif-touch-dev.au.auth0.com</Issuer><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">auth0|5a4557c041bc7b2bc7a7c101</NameID><SessionIndex>_J2JaGGovaenR-4GeO9Z6ntsMy2wrJdoh</SessionIndex></LogoutRequest>

The NameID, Issuer and SessionIndex are copied from the assertion in the SAML response.

The LogoutRequest is submitted by the following form:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> 
<body onload="document.forms[0].submit()">
	<noscript> 
		<p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed. </p> 
	</noscript>
	<form action="https://sif-touch-dev.au.auth0.com/samlp/OsLpNhHHoBqMux45oh6fnSvA8ESyHGBW/logout" method="post">
		<div>
			<input type="hidden" name="SAMLRequest" value="PExvZ291dFJlcXVlc3QgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTgtMTEtMjhUMDM6MjE6MDhaIiBJRD0iaWQ4OGNiYjNjNjk0YmQ0OTU4YmRlZDE2MjgxMjNlMzNkMyIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+dXJuOnNpZi10b3VjaC1kZXYuYXUuYXV0aDAuY29tPC9Jc3N1ZXI+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+YXV0aDB8NWE0NTU3YzA0MWJjN2IyYmM3YTdjMTAxPC9OYW1lSUQ+PFNlc3Npb25JbmRleD5fSjJKYUdHb3ZhZW5SLTRHZU85WjZudHNNeTJ3ckpkb2g8L1Nlc3Npb25JbmRleD48L0xvZ291dFJlcXVlc3Q+"/>
		</div> 
		<noscript> 
			<div> 
				<input type="submit" value="Continue"/> 
			</div> 
		</noscript> 
	</form> 
</body>
</html>

Any assistance would be much appreciated to get me past this.

2

Can you provide the full SAML response from the authentication? Or, ideally, a .HAR file with the login and subsequent logout attempt (be sure to remove any passwords from the file).

3

sif-touch-dev.au.auth0.com.har (1.8 MB)

@nicolas_sabena I have attached an .HAR file. There is no sensitive data, it is just a system we use for test purposes.

4

When looking for valid sessions to terminate, we are looking for a match on three things:

  • The NameID
  • The SessionIndex
  • The Issuer (which we compare against the audience configured in the SAML add on for the application)

The audience you have configured in the SAML addon is urn:example, but the audience used in the SAML requests from the SP reads urn:sif-touch-dev.au.auth0.com.

To avoid confusions, avoid using urn:sif-touch-dev.au.auth0.com, which is the identifier for the Auth0 side (the identity provider), and use a different identifier for your application (SP). Make sure to use this new identifier both in the audience setting of the addon, and on the SAML requests.

Let me know how it goes after changing that.

5

thanks @nicolas_sabena. I have tried changing the audience in the SAML add-on configuration and the issue to the value “urn:gwyn10.dev.stayinfront.com”. I am still seeing the same issue (“No active session(s) found matching LogoutRequest”).

Here is the decoded LogoutRequest:

<LogoutRequest Version="2.0" IssueInstant="2018-11-28T19:23:21Z" ID="id4e221229a19449bc84f0cae4e1e5c7d4" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:gwyn10.dev.stayinfront.com</Issuer><NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">auth0|5a4557c041bc7b2bc7a7c101</NameID><SessionIndex>auth0|5a4557c041bc7b2bc7a7c101</SessionIndex></LogoutRequest>

Here is the SAML add-on configuration:

{
  "audience": "urn:gwyn10.dev.stayinfront.com",
  "recipient": "http://example.com",
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "groups": "http://schemas.xmlsoap.org/claims/Group"
  },
  "createUpnClaim": true,
  "passthroughClaimsWithNoMapping": true,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": true,
  "signatureAlgorithm": "rsa-sha1",
  "digestAlgorithm": "sha1",
  "destination": "http://example.com",
  "lifetimeInSeconds": 3600,
  "signResponse": false,
  "typedAttributes": true,
  "includeAttributeNameFormat": true,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "logout": {
    "callback": "https://gwyn10.dev.stayinfront.com/touch/",
    "slo_enabled": false
  },
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
6

New .HAR please :smiley:. Sorry!

7

@nicolas_sabena .har file is attached, thanks for your assistance

sif-touch-dev.au.auth0.com.har (1.1 MB)

8

@nicolas_sabena sorry I believe it is working for me now. I found an issue with my last LogoutRequest, I was sending the NameID value in place of the SessionIndex. I resolved that at my end and I have now been able to successfully logout

1 Like
9

No worries, glad it worked!