Customer has implemented SLO with multiple SP partners, but is getting an error when users attempt to log out of the CRM application via SP-initiated SLO. SM is throwing an error when it receives the request from the SP.
The SLO request was not signed, thus SM was rejecting the request. Per the SAML spec, all SLO requests must be signed when presented via POST or Redirect bindings:
It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding, if used, also provides for an alternate means of authenticating the request issuer when the artifact is dereferenced.
Release : ALL
Component : FEDERATION
When presented via POST or Redirect binding, SLO requests must be signed.
This is documented on page 35 of the following SAML standards document: