SAML LogoutResponse

Cherubini_Davide · May 2, 2024, 1:12pm

Hi everyone, in an SP-initiated federation when I log out of the application I get an error in the logs about the SessionID being empty and unable to process the LogoutResponse

Below are the Federation logs:

c.s.i.s.m.SAML2MetaManager: 2024-05-02 14:54:28,362: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] DEBUG: SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache DELPHIX_IDP
c.s.i.s.p.LogoutUtil: 2024-05-02 14:54:28,362: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] DEBUG: LogoutUtil.getSLOResponseServiceLocation: Number of single logout services = 3
c.s.i.s.p.LogoutUtil: 2024-05-02 14:54:28,362: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] DEBUG: LogoutUtil.getSLOResponseServiceLocation: Single logout service binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
c.s.i.s.p.LogoutUtil: 2024-05-02 14:54:28,362: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] DEBUG: LogoutUtil.getSLOResponseServiceLocation: Found the single logout service with the desired binding
c.s.i.p.s.i.FMSessionProvider: 2024-05-02 14:54:28,362: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] DEBUG: FMSessionProvider.getSession: Could not get the session from the HTTP request: SessionID is empty
j.s.idpSingleLogoutRedirect: 2024-05-02 14:54:28,363: TransactionId[ae5490fe-773b-46fb-b86d-8ed83af0cf06-245981] ERROR: Error processing LogoutResponse
com.sun.identity.plugin.session.SessionException: SessionID is empty
        at com.sun.identity.plugin.session.impl.FMSessionProvider.getSession(FMSessionProvider.java:376)
        at com.sun.identity.saml2.profile.IDPSingleLogout.processLogoutResponse(IDPSingleLogout.java:792)
        at com.sun.identity.saml2.profile.IDPSingleLogout.processLogoutResponse(IDPSingleLogout.java:758)
        at org.apache.jsp.saml2.jsp.idpSingleLogoutRedirect_jsp._jspService(idpSingleLogoutRedirect_jsp.java:196)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.headers.SecureCookieFilter.doFilter(SecureCookieFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:105)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:72)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: com.iplanet.sso.SSOException: SessionID is empty
        at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
        at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:160)
        at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:328)
        at com.sun.identity.plugin.session.impl.FMSessionProvider.getSession(FMSessionProvider.java:369)
        ... 55 common frames omitted
Caused by: com.iplanet.dpro.session.SessionException: SessionID is empty
        at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:134)

    ... 58 common frames omitted

How can I solve it?
Thanks in advance

salbertelli01 · May 24, 2024, 8:48pm

Hi Cherubini_Davide,

The com.iplanet.sso.SSOException: SessionID is empty error typically means the session has likely expired and been removed.

What version of AM are you running and what are the Single Logout Service URLs?

One thing you may want to check is to ensure that the application is correctly using SameSite=None. For more details on the SameSite=None requirements, please refer to this knowledge base article: SameSite=None requirements.

Thank you,

Sheila