Hi,
We are IDP and for each our user, may have access to multiple SP vendor apps via SAML2 assertion. My question is how to make sure all SP (eg. sp1, sp2, sp3) receive the saml2slo message and clear the SP user session.
For saml2 slo, from CA document, it says for http redirect or post binding, it will send slo message to SP1 first, and wait for SP1 slo complete msg, and then send slo message to SP2, and wait for success msg, then send slo message to SP3.
Does this mean that if SP2 didn't implement SLO properly or down, then SP3 will never get the slo message from my idp side?
Is there a way (or best practice) that we can trigger the slo message to all the SPs? (I know soap binding with back channel can do this, but this will require all SP implement soap binding right? )