The tricky part is it works locally but when I publish to Azure, it failed logout.
Another thing that I just noticed is that once I clicked the 'logout' button, when it redirects to another exception page, the cookie value of 'saml-session' changed. Is it because those values do not match?
Btw, just to confirm that once a sso completes, both idp and sp will have a cookie named "saml-session" right? And they should have same value? Will to results to slo failure if the idp site does not hold this 'saml-session' cookie?