No active session(s) found matching LogoutRequest

acabrera · April 4, 2018, 2:36am

I’m using Auth0 as a SAML IdP. Using the “Addon: SAML2 Web App” page, I can click on the “Identity Provider Login URL” and I get logged into my SAML SP. When I log out of my SAML SP, I get the error:

No active session(s) found matching LogoutRequest

My SAML2 Web App addon config is

{
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”,
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
],
“logout”: {
“callback”: “https://MY_AUTH0_DOMAIN/samlp/CLIENT_ID/logout”
}
}

Logging out of my SAML SP results in an HTTP GET

https://MY_AUTH0_DOMAIN/samlp/CLIENT_ID/logout?SAMLRequest=<base 64 request>

The decoded request is

<saml2p:LogoutRequest ID=“f550886a-477a-4f03-baf0-15858d673bba”
IssueInstant=“2018-04-04T02:12:44.839Z” Version=“2.0”
xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>urn:MY_AUTH0_DOMAIN</saml2:Issuer>
<saml2:NameID xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>logout user</saml2:NameID>
saml2p:SessionIndex_s7RKD2yGJkghhqdufiTTjw9W-iUkmNK3</saml2p:SessionIndex>
</saml2p:LogoutRequest>

The SessionIndex matches the successful login response. It seems weird that the NameID is “logout user” and not the original NameID that was in the successful SAML login response; that could be a red herring.

nicolas_sabena · April 21, 2018, 2:31pm

Hi @acabrera. Just answered your ticket, but double-posting here in case it helps other.

As you guessed, the incorrect NameID is causing the error here. The NameID in the SAML Logout Request sent by the service provider (client application) needs to match the NameID originally received from Auth0 in the SAML Assertion.