How is destination supposed to be set in SP logout request?

[nlfiedler]

I'm making an "out of the blue" logout request using python3-saml and samlp is raising an error at lib/logout.js:180 (line if (!session && !options.destination) { return next(new Error('Invalid Session Participant')); }). The request contains the Destination attribute, and the saml-idp service is setting the session participants, so why am I getting this error? I get that the request is coming out of nowhere (i.e. no session), but I am including the destination. If I change options.destination on line 180 to requestData.destination then it works. Maybe this is horrifying in terms of security, but I want to at least pose the question. How can I ensure the principal is logged out of the IdP, regardless of having a session or not? The error is raised as a 500 via saml-idp, so it's hard to do any reasonable validation.