Internal Server Error when IdP-Initiated Single Logout

[oss-aimoto]

Occurred version: 0.19.0

1. Access to mod_auth_mellon, login to the IdP, mod_auth_mellon receives a SAML assertion of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" and creates a session.
2. Close Browser
3. Access to mod_auth_mellon, Login with the same user ID in IdP, mod_auth_mellon creates a new session(At this point, two sessions exist with the same NameID)
4. IdP-Initiated Single Logout. -> Internal Server Error

(The SAML Assertion and Single Logout Request issued by the IdP contains the SessionIndex.)

• Apache Error_Log

[Thu Apr 04 16:02:00.907470 2024] [auth_mellon:warn] [pid 8] [client 192.168.160.1:59452] Error validating logout request. Lasso error: [304] Unknown principal on logout

mod_auth_mellon performs a single logout without reference to SessionIndex. However, lasso verify the SessionIndex, resulting in an error.

I think that mod_auth_mellon must conform to the SAML2 core specification

• 3.7.3.1 Session Participant Rules

When a session participant receives a <LogoutRequest> message, the session participant MUST
authenticate the message. If the sender is the authority that provided an assertion containing an
authentication statement linked to the principal's current session, the session participant MUST invalidate
the principal's session(s) referred to by the <saml:BaseID>, <saml:NameID>, or
<saml:EncryptedID> element, and any <SessionIndex> elements supplied in the message. If no
<SessionIndex> elements are supplied, then all sessions associated with the principal MUST be
invalidated.