SAML single log out

 SAML single log out has two cases

SP initiated

SP Client Logout -> SP server Logs Out -> Sends SLO request to IDP -> IDP clear session -> Send SLS to SP -> SP redirects

IDP initiated

SP2 Client Logout -> SP2 server Logs Out -> Sends SLO request to IDP -> IDP clear session -> Send request to SP 2-> SP2 redirects -> IDP sends SLS to SP -> SP logs out user -> SP sends SAML confirmation to IDP

NOTE: 

For SP initiated logout ,  IDP initiated logout, SP will either send SLO request to IDP or logout confirmation request to IDP, the IDP end point should be the same.

Since in both scenarios IDP will send a request to SP's SLO end point

to check which scenario it is, SP should check the SAML XML data in the request from IDP :

https://github.com/SAML-Toolkits/python-saml/blob/master/src/onelogin/saml2/auth.py

For SP initiated logout, IDP data should contain "SAMLResponse" attribute

     if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data['get_data']:

becasue SP send IDP LogoutRequest prioro like :

<samlp:LogoutRequest ></samlp:LogoutRequest>

usually SP will ad a relaystate attribute: mysp/slo to tell IDP where to go(dont need it)

For IDP initiated logout, IDP data should contain "SAMLRequest" attribute

     elif 'get_data' in self.__request_data and 'SAMLRequest' in self.__request_data['get_data']:

then SP should then send a redirect(depending on binding) "LogoutResponse" to IDP. note this redirect did not get triggered by client so client wont see anything

<samlp:LogoutResponse ></samlp:LogoutResponse>