I’m using Auth0 as a SAML IdP. Using the “Addon: SAML2 Web App” page, I can click on the “Identity Provider Login URL” and I get logged into my SAML SP. When I log out of my SAML SP, I get the error:
No active session(s) found matching LogoutRequest
My SAML2 Web App addon config is
{
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”,
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
],
“logout”: {
“callback”: “https://MY_AUTH0_DOMAIN/samlp/CLIENT_ID/logout”
}
}
Logging out of my SAML SP results in an HTTP GET
https://MY_AUTH0_DOMAIN/samlp/CLIENT_ID/logout?SAMLRequest=<base 64 request>
The decoded request is
<saml2p:LogoutRequest ID=“f550886a-477a-4f03-baf0-15858d673bba”
IssueInstant=“2018-04-04T02:12:44.839Z” Version=“2.0”
xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>urn:MY_AUTH0_DOMAIN</saml2:Issuer>
<saml2:NameID xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>logout user</saml2:NameID>
saml2p:SessionIndex_s7RKD2yGJkghhqdufiTTjw9W-iUkmNK3</saml2p:SessionIndex>
</saml2p:LogoutRequest>
The SessionIndex matches the successful login response. It seems weird that the NameID is “logout user” and not the original NameID that was in the successful SAML login response; that could be a red herring.