Finlay I can do SLO :)
Previously I have worked with ForgeRock's IDP and it worked perfectly, but with ADFS did not. It is obvious that Microsoft has restricted rules related with SAML message formatting. Conclusions that I have found :
LogoutRequest message MUST be signed (SAML 2.0 Profiles doc, Sect 4.4.3.1). Thank you Ian for this.
Order of the XML elements and attributes is important. On the bottom of this message is final version of my log out request.
NameId must be in the same format as one received from AuthenticationResponse. It should contains elements expected by ADFS. These links helped me : Name Identifier (Name ID) claim in the SAML subject and SAML LogoutRequest
LogoutRequest signature must me transformed with XmlDsigExcC14NTransform, that should be added after XmlDsigEnvelopedSignatureTransform
Canonization method for signing should be http://www.w3.org/2001/10/xml-exc-c14n#
Issuer, NameID and SessionIndex are mandatory XML elements
Namespaces are mandatory : xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" and xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Final LogoutRequest message that is working :
<samlp:LogoutRequest ID="f8a62847-92f2-4f0c-936a-df9efe0cc42f"
Version="2.0"
IssueInstant="2013-08-29T20:53:50Z"
Destination="https://server/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com/</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#f8a62847-92f2-4f0c-936a-df9efe0cc42f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>W7F1E2U1OAHRXn/ItbnsYZyXw/8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="http://schemas.xmlsoap.org/claims/UPN"
>user</saml:NameID>
<samlp:SessionIndex>_2537f94b-a150-415e-9a45-3c6fa2b6dd60</samlp:SessionIndex>