How to switch off logout encryption in simplesamlphp

Question 1

The issue was with something else. I just reused the code that processed POST binding to also process Redirect binding; but with Redirect binding, the payload is deflated, so the code for POST cannot be reused directly.

Question 2

Paramenter 'assertion.encryption' defined on IdP remote metadata

Whether assertions received from this IdP must be encrypted. The default value is FALSE. If this option is set to TRUE, assertions from the IdP must be encrypted. Unencrypted assertions will be rejected.

Note that this option overrides the option with the same name in the SP configuration.

Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote

Parameter 'assertion.encryption' in saml20-idp-hosted.php

Whether assertions sent from this IdP should be encrypted. The default value is FALSE.

Note that this option can be set for each SP in the SP-remote metadata.

Reference: http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted

Edited to add an explanation:

simpleSAMLphp uses the function encryptAssertion (modules/saml/lib/IdP/SAML2.php) to decide if encrypt or not all the assertions that it handler. This function checks the values of the 'assertion.encryption' defined on the IdP/SP metadata file (if this parameter is not defined the assertion is not encrypted

private static function encryptAssertion(SimpleSAML_Configuration $idpMetadata,
            SimpleSAML_Configuration $spMetadata, SAML2_Assertion $assertion) {

            $encryptAssertion = $spMetadata->getBoolean('assertion.encryption', NULL);
            if ($encryptAssertion === NULL) {
                    $encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', FALSE);
            }
            if (!$encryptAssertion) {
                    /* We are _not_ encrypting this assertion, and are therefore done. */
                    return $assertion;
            }