There's nothing wrong with defaulting the endpoint, but it is illegal in SAML to use the redirect binding for a response in SSO. You can do logout responses and other messages, but not full SSO that way, so the IdP does not look for that binding and can't find any eligible one to use. -- Scott