Proper SLO flow if a host is both an IdP and a SP

I have the need for a single host to act as both an IdP and a SP (let’s call it MainHost). I have a TestIdP and a TestSP used for testing. If I begin by logging into TestIdP, then beginning an IdP initiated SSO to MainHost, then going from MainHost and performing an IdP initiated SSO to TestSP, everything works fine. When I logoff from TestSP, MainHost is also logged out. Perfect. However, I need to also log the user out from the TestIdP.

MainHost has SAMLController::SLOService and SAMLController::IdPSLOService with the code from the MVC examples. The MVC IdP example contains the following code that I’m not sure where to place:

Snippetif (SAMLIdentityProvider.IsSSO()) {
// Request logout at the service providers.
SAMLIdentityProvider.InitiateSLO(Response, null);
return new EmptyResult();

I’m not sure where that should be placed as I think it’ll interfere with the redirects for the SLO.

When MainHost receives the logout request from TestSP, the following needs to happen.
1. MainHost, acting as the IdP, receives a logout request from TestSP.
2. MainHost, acting as the SP, sends a logout request to TestIdP.
3. TestIdP logs out the user locally and sends a logout response to MainHost.
4. MainHost receives the logout response and then sends a logout response to TestSP.

You should call SAMLIdentityProvider.ReceiveSLO to receive the logout request from TestSP.
Then call SAMLServiceProvider.InitiateSLO to send a logout request to TestIdP and then SAMLServiceProvider.ReceiveSLO to receive the logout response from TestIdP.
Finally, call SAMLIdentityProvider.SendSLO to send a logout response to TestSP.
You may need to keep some additional state information in MainHost to remember which step you are up to.