For SAML client with Client Signature Required set to OFF, RH-SSO throws "invalid_logout_request" while processing unsigned SAML logout request from external Service Provider with below error in server.log
2020-01-28 09:45:44,814 WARN [org.keycloak.events] (default task-4) type=LOGOUT_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=22.214.171.124, error=invalid_logout_request, reason=invalid_destination
Sample Logout request from external SP:
/<samlp:LogoutRequest ID="_51c8bd8e-f1aa-40a9-8c37-8d6198eba78d" Version="2.0" IssueInstant="2020-01-28T08:45:44Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https:
As per SAML Bindings spec, sections 126.96.36.199 (Redirect binding) and 188.8.131.52 (POST binding):
If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received
So RH-SSO is validating destination if the message is not signed.
Hence as per the SAML spec it should not mandate the "Destination" field within the SAML request if not signed.