The flow you are describing is correct but it should not throw an HTTP 500.
As you are seeing the SP2 returning the SAML Logout Response to the IDP, it might be something wrong at the IDP side configuration.
But on the other hand, the HTTP 500 at the IDP may be a result of an invalid data received from SP2 as well. (had typo, made correction)
If this ever worked before, I would recommend checking the time synchronization as that plays a big role and can cause confusion when more parties involve.
What usually helps is a HTTP header trace (such as fiddler with "DecryptHTTPS" option enabled) as that will show what is being communicated and where the error is.
Which party is the SiteMinder?
------------------------------
Support Engineer 5
Broadcom
------------------------------
Original Message:
Sent: 06-21-2020 05:52 AM
From: Livio Gianninoto
Subject: SLO issue
Hi all
This is my scenario in a federated domain:
A user logins into first SP (SP1)
After that, the same user enters in a second SP (SP2), no credentials needed.
If the user tries to disconnect from SP1, our IDP processes the SAML logout request, but instead of sending a Logout Response to SP1, sends a new Logout Request to SP2.
SP2 sends a successfully SAML LogoutResponse to the IDP, but we get an error 500
Is this the correct flow?
Regards,
Livio