Problems with invalid SessionIndex in Sign Out with SAML2 LogoutRequest


  • Hi, i'am developer and actually i try integrating (a must days) my IdP with a Office 365 using SAML 2. 

    I have had success in the first steps for Logon user, however I have a lot of doubts about Sign Out (LogoutRequest) with IdP-Initiated flow, the doubts are related a endpoints to Sign Out. For developing the Logon, i follow the endpoints and configurations present in this metadata:

    For send a LogoutRequest, the metadata inform the same url of login:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>

    I create the LogoutRequest as follow data:

    <saml2p:LogoutRequest Destination=""

        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://my-enterprise-configuration-value</saml2:Issuer>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

    Ps: i so generate the same LogoutRequest with properties of Signature, but i have a same error (SessionIndex not present...).

    My biggest doubts are related to Destination, NameID Format e SPNameQualifier.

    What is the correct value of the Destination? I have seen elsewhere that I should insert the

    Destination with, i saw also<tenant-azure-id>/saml2.

    So, do I still have to send my POST request to even though my Destination app one of the above commented out? or should I send the POST to the same local location as Destination?

    The NameID Format is placing the same as the SAMLResponse uploaded (which I sent to Office 365).

    The SPNameQualifier is already using the same value set in Issuer (ImmutableID).

    Ps2: the data send in my post are:




    I soo also find the location to configure Sign Out in my application in Administrative Tools, but i don't found it.

    Thanks a lot!!!

    Thursday, February 8, 2018 9:59 AM