What is the format of the SamlResponse in the Azure B2C SAML 2.0 logout url

Question

I'm trying to integrate my SAML 2.0 service into Azure B2C. We've successfully managed to single log in however we've been unable to get single log out to work completely properly.

We've narrowed it down to our service not processing the logout response properly, specifically the URL that B2C calls is not formatted in the way that we're expecting. For other identity providers that we've integrated (OKTA, ADFS 2.0) the URL that they call on logout success looks something like:

https://my-service.com/logout?SAMLResponse=<samlResponse>&RelayState=<relayState>

where samlResponse is a base64 encoded XML SAML logout response that we then process, verify and etc.

Azure B2C makes a call that looks like:

https://my-service.com/logout?SAMLResponse=<samlResponse>&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=<signature>

where samlResponse is not immediately a base64 encoded string that we can decode into the XML SAML logout response, thus causing issues with our service's verification process. My question is what kind of string is that samlResponse and what do I need to do to it to be able to examine the XML SAML logout response.

I'm by no means an expert on SAML 2.0 so I'm sorry if this question is super obvious :)

Answer 1

Ok so it turns out this was me just not knowing SAML well enough and nothing to do with Azure B2C behaviour. B2C uses the "Redirect" binding for logging out, not a POST. For a redirect binding the response is sent along a bit differently. It's gzipped as well as base64 encoded + url encoded.

This was the post that helped me figure this out https://stackoverflow.com/a/41469795/1699348