Auth0 Home Blog Docs

SAML LogoutRequest (No active session(s))


#1

I have been beating my head against the wall on this issue. I am trying to get a good single logout command, but I keep getting “No active session(s) found matching LogoutRequest.”

I tried to attach a file, but it kept saying it couldn’t determine the size of the image (it was a .txt file), so here’s hoping the “pre-formatted” text option works the way it should–it’s kind of a sucky tool.

Quick update
I hit the “Debug” button on the SAML 2.0 addin feature. I copied the session index and pasted it into my code as a hard-coded value. When I did that, I was able to successfully logout. I did not do anything else to the code. I even evaluated the response from the debug and it looks JUST LIKE the one I was getting when I successfully logged in. I’m still confused.
End Update

The first set is the SAML AuthnRequest. The second is the SAML Response from the idP. The third is the LogoutRequest which results in the error.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="iX...gg" Version="2.0" ProviderName="SAML Test" IssueInstant="{ts '2018-10-11 01:05:39'}" Destination="https://xxx.auth0.com/samlp/iX...gg" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1/.../acs.cfm">
    <saml:Issuer>http://127.0.0.1/.../login.cfm</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext></samlp:AuthnRequest>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_27a515a81a4f7aaa65af" Version="2.0" IssueInstant="2018-10-11T05:07:02Z" Destination="https://xxx.auth0.com/samlp/iX...gg">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:xxx.auth0.com</saml:Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_9IaK77nQM4bkdcEH7Pebyf4cJ7wJPudO" IssueInstant="2018-10-11T05:07:02.491Z">
    <saml:Issuer>urn:xxx.auth0.com</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_9IaK77nQM4bkdcEH7Pebyf4cJ7wJPudO">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>/YhxaDzmHtFUHan4PsXHIb9ssWM=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>V...Q==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>M...w==</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|5bab...d4f</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2018-10-11T06:07:02.491Z" Recipient="http://127.0.0.1/.../acs.cfm" />
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2018-10-11T05:07:02.491Z" NotOnOrAfter="2018-10-11T06:07:02.491Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:sonis</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2018-10-11T05:07:02.491Z" SessionIndex="_7plejmaBu4FFB0bQRvLT7KhVoBhkqjpy">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">auth0|5bab0495dcd6892160030d4f</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">me@me.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">me@me.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">me@me.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">iXkXd_4i6AZ1a6GhEGlCbU8XvOJfdBgg</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">Thu Oct 11 2018 04:39:32 GMT+0000 (UTC)</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/03ee3427b1c5018c86af6c2fab0b4c5e?s=480&amp;r=pg&amp;d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fsh.png</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">Mememe</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">Wed Sep 26 2018 04:01:25 GMT+0000 (UTC)</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion></samlp:Response>

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="iX...gg" Version="2.0" IssueInstant="{ts '2018-10-11 01:07:02'}" Destination="https://xxx.auth0.com/samlp/iX...gg/logout" ProviderName="SAML Test">
	<saml:Issuer>http://127.0.0.1/.../acs.cfm</saml:Issuer>
	<saml:NameID>me@me.com</saml:NameID>
	<samlp:SessionIndex>_7plejmaBu4FFB0bQRvLT7KhVoBhkqjpy</samlp:SessionIndex</samlp:LogoutRequest>

#2

Hey there @shanekakola, in our below doc we have a use case when seeing your given error of “No active session(s) found matching LogoutRequest.” which states The SessionIndex and NameID values in the SAML Logout request need to match the ones received by the service provider in the original SAML assertion. Can you check this for me when you get a moment? Thanks in advance!


#3

First of all, my apologies for taking so long. I have verified (by outputting the SAML Response to the screen) that the sessionIndex, and the nameID supplied for logout match the sessionIndex returned by the successful login and the NameID used to authenticate.