As IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP metadata
When using LL::NG as SAML IDP with Shibboleht SP (in Renater), we discover that the SP can send send an SLO request to IDP, but has no SLO endpoint to get the SLO response.
The SAML specification (saml-profiles-2.0-os) says the IDP MUST send an SLO response:
18.104.22.168 Identity Provider Issues <LogoutResponse> to Session Participant After processing the original session participant's <LogoutRequest> as described in the previous steps the identity provider MUST respond to the original request with a <LogoutResponse> containing an appropriate status code to complete the SAML protocol exchange. The response is sent to the original session participant, using a SAML binding consistent with the binding used in the original request, the capability of the responder, and the availability of the user agent at the identity provider. Assuming an asynchronous binding was used in step 1, then any binding supported by both entities MAY be used.
But if we don't have the SLO endpoint in SP, the logout process ends with an error 500:
Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG: Lasso error [ critical ]: 2019-03-05 17:35:08 (profile.c/:1287) Unable to find Profile URL in metadata Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG: Lasso error code -410: Unable to find Profile URL in metadata Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG: Error 500: Unable to build SLO response
Even if this is not fully compliant with SAML specification, I think we should not try to send SLO response if the endpoint is not defined, or catch the error to display it in logs, but end the process with a redirection on IDP logout page to have a clean behavior from the end user side.