'No active session(s) found matching LogoutRequest' for SAML Logout

Help
1

I’m trying to set up Auth0 as a SAML2 IdP. The sign in works fine but the log out throws the error “No active session(s) found matching LogoutRequest”.

SAML2 Settings
{
“audience”: “https//sandboxparsa.accme.org/”,
“mappings”: {

},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: true,
“mapUnknownClaimsAsIs”: false,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha256”,
“digestAlgorithm”: “sha256”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [

],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“logout”: {
“callback”: “https//localhost:44332/logout”,
“slo_enabled”: false
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
}

Sign-in Request
<samlp:AuthnRequest xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” ID=“_1342545769” Version=“2.0” IsPassive=“false” ForceAuthn=“false” IssueInstant=“2020-09-28T13:20:44.5481919-04:00” Destination="https//accme.us.auth0.com/samlp/cHQ45qeedY2jD5936vKZ9tXXElMwa1xC? " ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“https//localhost:44332/SP/AssertionConsumer” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https//sandboxparsa.accme.org/</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” AllowCreate=“true” Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” SPNameQualifier=“https//localhost:44332” />
</samlp:AuthnRequest>

Sign-in Response
<samlp:Response xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” ID=“_8aeb36bdbeed7c0bde5e” InResponseTo=“_1342545769” Version=“2.0” IssueInstant=“2020-09-28T17:21:31.874Z” Destination=“https//localhost:44332/SP/AssertionConsumer”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>urn:accme.us.auth0.com</saml:Issuer>

<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/>
</samlp:Status>
<saml:Assertion xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” Version=“2.0” ID=“_gdNiw0RIm40dVbZIY4sQ0ah0K4JYJSCd” IssueInstant=“2020-09-28T17:21:31.863Z”>
urn:accme.us.auth0.com</saml:Issuer>




<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>auth0|5f72133025dd140078000531</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=“2020-09-28T18:21:31.863Z” Recipient=“https//localhost:44332/SP/AssertionConsumer” InResponseTo=“_1342545769”/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2020-09-28T17:21:31.863Z” NotOnOrAfter=“2020-09-28T18:21:31.863Z”>

https//sandboxparsa.accme.org/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2020-09-28T17:21:31.863Z” SessionIndex=“_r-UEMOsrwXC1_NsAPrVfIcL9zhrhpPF4”>

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs=“http//www.w3.org/2001/XMLSchema” xmlns:xsi=“http//www.w3.org/2001/XMLSchema-instance”>

</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

Sign-out Request
<samlp:LogoutRequest xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” ID=“_479467094” Version=“2.0” IsPassive=“false” IssueInstant=“2020-09-28T13:21:52.4724382-04:00” Destination=“https//accme.us.auth0.com/samlp/cHQ45qeedY2jD5936vKZ9tXXElMwa1xC/logout?” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https//sandboxparsa.accme.org/</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” AllowCreate=“true” Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” SPNameQualifier=“https//localhost:44332” />
_r-UEMOsrwXC1_NsAPrVfIcL9zhrhpPF4</samlp:SessionIndex>
</samlp:LogoutRequest>

3

BTW, I had to remove some ‘:’ characters from my markup above in order to post

4

Does anyone have any idea as to what is going wrong here? I’m having exactly the same issue.

I have chcked the name id and the sessionIndex returned by Auth0 on login with what I’m using in my SAML logout request and they match exactly.

LoginResponse

<saml:AuthnStatement AuthnInstant=“2020-11-12T10:43:34.096Z” SessionIndex=“_-6153NbsfzVfYFOrbfm5MJg5zlNB9i_5”>

<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>kar-100@alias.inovem.com</saml:NameID>

LogoutRequest

<samlp:SessionIndex xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”> _-6153NbsfzVfYFOrbfm5MJg5zlNB9i_5</samlp:SessionIndex>

<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>kar-100@alias.inovem.com</saml:NameID>

Kevin