How to configure Single Logout when using Google Apps as the Identity Provider?

Question

As outlined in the Google docs you can use Google Apps as a SAML 2.0 IdP. The IdP metadata includes a URL for SSO, but doesn't contain a SLO URL:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=XXXXXXXX" validUntil="xxxxxxx">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
      <ds:X509Certificate>....</ds:X509Certificate>
    </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"     Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Trying to just use the same URL for SLO results in an error at Google:

Error parsing the request, malformed_request: The SAML request is malformed. That’s all we know.

Of course you can just redirect to https://accounts.google.com/logout but that will only end the Google session.

SLO is not mentioned in Google docs. Is it supported?

Answer 1

Google does not support SAML SLO as an identity or service provider.