I am seeing this error message in response. Any idea what could be causing this. Below you will see the error message.
Error Message:
Missing SessionIndex: session participants MUST include at least one element in the logout request
===========
SAML Response:
<samlp:LogoutResponse Version=“2.0”
ID=“Mn6DpXTiZXxuOww6zzzpRHAtQml”
IssueInstant=“2016-08-30T21:54:10.811Z”
InResponseTo=“_f6352465-5218-43be-9eb8-c335a16b3f09”
Destination=“<a href=“https://xxx.com/ssosp/saml2/post/logoff””>https://xxx.com/ssosp/saml2/post/logoff"
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://XXX.com</saml:Issuer>
<ds:Signature xmlns:ds=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=”<a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1” />
<ds:Reference URI=“#Mn6DpXTiZXxuOww6zzzpRHAtQml”>
ds:Transforms
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature””>http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#””>http://www.w3.org/2001/10/xml-exc-c14n#“ />
</ds:Transforms>
<ds:DigestMethod Algorithm=”<a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1" />
ds:DigestValuePPbfOZOFlNPcdIcQt4pIM+fJa/o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
XXX
</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509Certificate
XXX
</ds:X509Certificate>
</ds:X509Data>
ds:KeyValue
ds:RSAKeyValue
ds:Modulus
XXX
</ds:Modulus>
ds:ExponentAQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Requester” />
samlp:StatusMessageMissing SessionIndex: session participants MUST include at least one element in the logout request</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>
It sounds like a session ID wasn’t included in the logout request.
Please enable SAML trace and send the generated log file as an email attachment to our support email address.
I’d like to see the SSO flow as well as the failing logout.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please enable SAML trace and send the generated log file as an email attachment to our support email address.
I'd like to see the SSO flow as well as the failing logout.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Below you find the code; which i have for logout. The method throws an error message is "response.IsSuccess()"
Here is an error message.
Missing SessionIndex: session participants MUST include at least one element in the logout request
public ActionResult LoggedOff(FormCollection formCollection)
{
//Get the response
string response = formCollection["SamlResponse"];
string state = formCollection["RelayState"];
state = Base64Encoder.Decode(state.Replace(" ", "+"), Encoding.UTF8);
//Deserialize the Relay State
RelayState relayState = XmlHelper.Deserialize(state);
//Get the configuration
Organization config = ((ConfigurationManager)this.HttpContext.Application["ConfigurationManager"]).GetConfiguration(relayState.OrganizationToken);
response = Base64Encoder.Decode(response, config.Encoding);
string samlResponse = response;
bool outcome;
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
//Load the xml
doc.LoadXml(samlResponse);
//Get the response xml
XmlElement responseXml = doc.DocumentElement;
//Check if we should verify signature
if (this._config.ResponseCertificate != null)
{
X509Certificate2 x509Certificate = this._certificateMgr.GetCertificate(this._config.ResponseCertificate.Name, this._config.ResponseCertificate.InStore);
if (!SAMLMessageSignature.Verify(responseXml, x509Certificate))
{
throw new ArgumentException(String.Format("Unable to verify the SAML message signature. Certificate Name: {0}.", this._config.ResponseCertificate.Name));
}
}
LogoutResponse response = new LogoutResponse(responseXml);
//Check the outcome
outcome = response.IsSuccess();
return outcome;
}
Response.IsSuccess() will return false as the StatusCode is “urn:oasis:names:tc:SAML:2.0:status:Requester”.
You can also replace some of your code with the following SAML low-level API code which will receive and decode the logout message using the HTTP-Post binding.
using ComponentSpace.SAML2.Profiles.SingleLogout;
XmlElement logoutResponse;
string relayState;
SingleLogoutService.ReceiveLogoutResponseByHTTPPost(Request, out logoutResponse, out relayState);
To determines what’s going on, I need the SAML trace as mentioned in my previous reply.
Please enable SAML trace and send the generated log file as an email attachment to our support email address.
I’d like to see the SSO flow as well as the failing logout.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace