“No active session(s) found matching LogoutRequest” when trying to do logout request with SAML

Hi,

I’m attempting to configure Auth0 as an IdP. The sign-in process is functioning properly, but I encounter an error message, “No active session(s) found matching LogoutRequest,” when attempting to log out.

“No active session(s) found matching LogoutRequest”

I have gone through the related posts here, but I am still confused. We are using a custom domain and have updated all the domains to the custom domain.

SAML Login Request:

<samlp:AuthnRequest
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b" Version="2.0" ProviderName="Skilljar Course Platform" IssueInstant="2023-06-27T00:42:43Z" Destination="https://abcd.com/samlp/VrzBnZ05xwaMtyw0HQ0GMP5VRMl6j1fc" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://accounts.skilljar.com/auth/saml/xxxxxx/acs">
	<saml:Issuer>https://netbasequid-s.skilljar.com/</saml:Issuer>
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"></samlp:NameIDPolicy>
</samlp:AuthnRequest>

SAML Response:

<samlp:Response
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_584b5caab7889edb3181" InResponseTo="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b" Version="2.0" IssueInstant="2023-06-27T00:42:45.391Z" Destination="https://accounts.skilljar.com/auth/saml/xxxxxx/acs">
	<saml:Issuer
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:staging-auth.netbasequid.com
	</saml:Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
	</samlp:Status>
	<saml:Assertion
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_DhHpBYQeLJyYNV262sxTh9SgiyEcpluK" IssueInstant="2023-06-27T00:42:45.342Z">
		<saml:Issuer>urn:staging-auth.netbasequid.com</saml:Issuer>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress">elin@netbase.com</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2023-06-27T01:42:45.342Z" Recipient="https://accounts.skilljar.com/auth/saml/xxxxxx/acs" InResponseTo="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b"></saml:SubjectConfirmationData>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2023-06-27T00:42:45.342Z" NotOnOrAfter="2023-06-27T01:42:45.342Z">
			<saml:AudienceRestriction>
				<saml:Audience>https://netbasequid-s.skilljar.com/</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2023-06-27T00:42:45.342Z" SessionIndex="_881_qsI347ciiANWLJfqlaLjNg8FzqMo">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement
			xmlns:xs="http://www.w3.org/2001/XMLSchema"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
			<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:AttributeValue xsi:type="xs:string">elin@netbase.com</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:AttributeValue xsi:type="xs:string">Eric-pro</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml:AttributeValue xsi:type="xs:string">elin@netbase.com</saml:AttributeValue>
			</saml:Attribute>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

SAML Logout Request:

<samlp:LogoutRequest
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_12b6611fc25128e7c27b0592ae1e8e975a53550b" Version="2.0" IssueInstant="2023-06-27T00:48:10Z" Destination="https://staging-auth.netbasequid.com/samlp/VrzBnZ05xwaMtyw0HQ0GMP5VRMl6j1fc/logout">
	<saml:Issuer>https://netbasequid-s.skilljar.com/</saml:Issuer>
	<saml:EncryptedID>
		<xenc:EncryptedData
			xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
			xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Type="http://www.w3.org/2001/04/xmlenc#Element">
			<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
			<dsig:KeyInfo
				xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
				<xenc:EncryptedKey>
					<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
					<xenc:CipherData>
						<xenc:CipherValue>oDPwmu305IJXZyrI...==</xenc:CipherValue>
					</xenc:CipherData>
				</xenc:EncryptedKey>
			</dsig:KeyInfo>
			<xenc:CipherData>
				<xenc:CipherValue>smV366XEM1SbD...3EAg=</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</saml:EncryptedID>
	<samlp:SessionIndex>_881_qsI347ciiANWLJfqlaLjNg8FzqMo</samlp:SessionIndex>
</samlp:LogoutRequest>

Settings Add on:

{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "logout": {
    "callback": "https://accounts.skilljar.com/auth/saml/xxxxxx/sls",
    "slo_enabled": true
  },
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}

I have a couple of questions:

  1. Considering the Request and Response mentioned above, I noticed that we didn’t include the NameID in the LogoutRequest. Could this potentially cause the problem?
  2. I noticed that the issuer value is the same for AuthnRequest and LogoutRequest, but not for the Response. Should this be a concern?

I would greatly appreciate any assistance that can be provided.