Access to mod_auth_mellon, login to the IdP, mod_auth_mellon receives a SAML assertion of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" and creates a session.
Close Browser
Access to mod_auth_mellon, Login with the same user ID in IdP, mod_auth_mellon creates a new session(At this point, two sessions exist with the same NameID)
IdP-Initiated Single Logout. -> Internal Server Error
(The SAML Assertion and Single Logout Request issued by the IdP contains the SessionIndex.)
When a session participant receives a <LogoutRequest> message, the session participant MUST
authenticate the message. If the sender is the authority that provided an assertion containing an
authentication statement linked to the principal's current session, the session participant MUST invalidate
the principal's session(s) referred to by the <saml:BaseID>, <saml:NameID>, or
<saml:EncryptedID> element, and any <SessionIndex> elements supplied in the message. If no
<SessionIndex> elements are supplied, then all sessions associated with the principal MUST be
invalidated.
Occurred version: 0.19.0
(The SAML Assertion and Single Logout Request issued by the IdP contains the SessionIndex.)
mod_auth_mellon performs a single logout without reference to SessionIndex. However, lasso verify the SessionIndex, resulting in an error.
I think that mod_auth_mellon must conform to the SAML2 core specification