Handle unknown SAML2 SP's when logging out
In the case where a logout is in progress and an unknown
SP is in the session list it is marked as logged out and
logout continues (with logging). This is expected to be
a fairly rare occurance as it involves adding an SP,
having users log into it, then removing it and restarting
Apache.
In the case where a logout request or response is received
from an unknown SP a 400 is raised. We might be able to
find a user session but because we can't authenticate the
SP there is no way to know if this is a request from that
user or some sort of DoS attack so an error is raised.
https://fedorahosted.org/ipsilon/ticket/187
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>