Which logout endpoint bindings should be considered mandatory for SPs? For IdPs?
What requirements can we make around synchronous vs. asynchronous SAML logout?
Since we’ll have SPs that don’t support logout and don’t comply with the profile, should we recommend some IdP action or display to deal with those?
Should we recommend the support of full federated logout to all capable SPs attached to a user’s session? How much of the IdP experience should be dictated? Different answer for saml2int vs. community perhaps?
Should logout requests/responses be required to be signed?
Note from Jim Basney:
I agree with ScottK that logout is not a priority. Neither the NCSA IdP nor the CILogon SP supports SAML SingleLogoutService.
My only opinion about it is that entities should only publish SingleLogoutService endpoints in metadata if they're sure they support it properly.
For example, UnitedID's SingleLogoutService endpoint has been broken for a long time. If even the experts at UnitedID can't get it right,
I think it's best for InCommon to continue to discourage use of SingleLogoutService.