Hi,
I’m attempting to configure Auth0 as an IdP. The sign-in process is functioning properly, but I encounter an error message, “No active session(s) found matching LogoutRequest,” when attempting to log out.
“No active session(s) found matching LogoutRequest”
I have gone through the related posts here, but I am still confused. We are using a custom domain and have updated all the domains to the custom domain.
SAML Login Request:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b" Version="2.0" ProviderName="Skilljar Course Platform" IssueInstant="2023-06-27T00:42:43Z" Destination="https://abcd.com/samlp/VrzBnZ05xwaMtyw0HQ0GMP5VRMl6j1fc" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://accounts.skilljar.com/auth/saml/xxxxxx/acs">
<saml:Issuer>https://netbasequid-s.skilljar.com/</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"></samlp:NameIDPolicy>
</samlp:AuthnRequest>
SAML Response:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_584b5caab7889edb3181" InResponseTo="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b" Version="2.0" IssueInstant="2023-06-27T00:42:45.391Z" Destination="https://accounts.skilljar.com/auth/saml/xxxxxx/acs">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:staging-auth.netbasequid.com
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_DhHpBYQeLJyYNV262sxTh9SgiyEcpluK" IssueInstant="2023-06-27T00:42:45.342Z">
<saml:Issuer>urn:staging-auth.netbasequid.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress">elin@netbase.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2023-06-27T01:42:45.342Z" Recipient="https://accounts.skilljar.com/auth/saml/xxxxxx/acs" InResponseTo="ONELOGIN_a921b0ca2401daf5dd225296b9cbb96075c6f92b"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2023-06-27T00:42:45.342Z" NotOnOrAfter="2023-06-27T01:42:45.342Z">
<saml:AudienceRestriction>
<saml:Audience>https://netbasequid-s.skilljar.com/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2023-06-27T00:42:45.342Z" SessionIndex="_881_qsI347ciiANWLJfqlaLjNg8FzqMo">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">elin@netbase.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Eric-pro</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">elin@netbase.com</saml:AttributeValue>
</saml:Attribute>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
SAML Logout Request:
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_12b6611fc25128e7c27b0592ae1e8e975a53550b" Version="2.0" IssueInstant="2023-06-27T00:48:10Z" Destination="https://staging-auth.netbasequid.com/samlp/VrzBnZ05xwaMtyw0HQ0GMP5VRMl6j1fc/logout">
<saml:Issuer>https://netbasequid-s.skilljar.com/</saml:Issuer>
<saml:EncryptedID>
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>oDPwmu305IJXZyrI...==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>smV366XEM1SbD...3EAg=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
<samlp:SessionIndex>_881_qsI347ciiANWLJfqlaLjNg8FzqMo</samlp:SessionIndex>
</samlp:LogoutRequest>
Settings Add on:
{
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
],
"logout": {
"callback": "https://accounts.skilljar.com/auth/saml/xxxxxx/sls",
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
I have a couple of questions:
- Considering the Request and Response mentioned above, I noticed that we didn’t include the NameID in the LogoutRequest. Could this potentially cause the problem?
- I noticed that the issuer value is the same for AuthnRequest and LogoutRequest, but not for the Response. Should this be a concern?
I would greatly appreciate any assistance that can be provided.