IdP endpoint for SAML logout response after an IdP initiated logout request using HTTP redirect binding

Question

As a service provider, when we receive the HTTP Redirect logout request from an IdP, documentation states that we should do the following:

Validate the logout request > Invalidate the user session > Send a logout response back to the identity provider.

Which endpoint do we redirect the logout response back to? I would have thought it would be a part of the logout request but it isn't. Is it just the IdP Single Logout URL?

Answer 1

Typically the IDPSSODescriptor of the IdP meta data defines the SingleLogoutService for each supported protocol binding.

E.g. Excerpt from IdP meta data from SSOCicrle)

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/publicidp" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/publicidp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/publicidp" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/publicidp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/publicidp"/>

If you did not receive IdP meta data you need to reach out to the IdP admin and request that information.

Note: It depends on the SP implementation which binding is used to send the LogoutResponse. Some use the same binding which was used by the IdP to send the LogoutRequest, some use the first binding defined in the IdP meta data and some use a specified binding.