Create SAML SLO request

Question

As a service provider (SP), i'm trying to create request for SLO using the URL redirect flow. After going through a lot of articles, this is what i came up with:

1. Create a logout request xml and digitally sign it
2. Convert the request xml to base64 url encoded string
3. Append the base64 encoded request xml to the SLO url as a querystring
4. Redirect page to the above constructed url (IDP)
5. IDP will then perform necessary SLO steps for all SPs at its end and redirect back to our current application (which initiated the SLO request)
6. Parse above response and show message in UI accordingly

However, when i got into the actual implementation, i'm faced with the following challenges, some of them not specific to SAML SLO.

1. To digitally sign the logout request xml, is it mandatory to load/import the x509 certificate from .pfx file or can i use any certificate from the certificate store which has private key?
2. For demo purpose, I've successfully signed the request using a certificate in my local system which has private key. This process appends the signature and pulic key information in the logout request xml.
3. I've encoded (Base64Url) the request xml but the resulting string length is too long (more than 4k chars), which would exceed the maximum length allowed in URL/GET request. Have i got this step wrong?
4. None of the articles/SAML spec mentions how the querystring should look like. Is the querystring parameter name defined by the SAML spec (which i could have missed) or is it dependent on the IDP?

All in all, i feel that SAML spec lacks articles with proper implementation which is making it extremely difficult to get the hang of it.

Note: I didn't include any of the codes i've written so far since my questions can be answered without them. However, if required, i can include them.

Few of the many referenced articles:

• SSO, SAML and SLO
• SAML Logout Request (SP -> IdP)
• Sign XmlDocument with X509Certificate2 and Verify in C#