'tail' the oxtrust log while trying this feature ( adding SP Logout ). log should give some hint.

Also two points... 1. You can directly add the public IP in Gluu Server container's hosts file ( log into container with 'service gluu-server login' and add this in /etc/hosts. 2. You can call the Gluu Server logout link ( https://<hostname>/idp/logout.jsp ) from SP instead of providing SP's logout link in Trust relationship. #2 is famous among our customers as they have various types of SPs out there ( in-house, SaaS, remote ).

I did #1 earlier after I realised that could be the problem I am not sure how #2 is going to work. The SP needs to see support for SLO in the Idp metadata and it needs to be HTTP-POST not HTTP-Redirect. I can modify the IdP metadata to tell the SP that that SLO is supported, but what would I configure in Gluu/Shibboleth to ensure that the IdP POSTS the SLO Request. Note that SLO is new for our SP so I am not 100% sure of the workflow. I looked at the oxtrust log but I do not see any obvious log as to why the URL will not validate. Is there another log or logging level to turn on? Attached is the tail of the oxtrust.log. There is an exception after setting httpd attributes but I see that at lot. Also note that the Download Shiboileth2 Configration files results in a system error. I tried that after the Update to the Logout URL

>> The SP needs to see support for SLO in the Idp metadata and it needs to be HTTP-POST not HTTP-Redirect These endpoints are available in your Gluu Server's metadata. Location: https://<hostname>/idp/shibboleth >> For Shibboleth SLO, you can try [this](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO) doc. Or even you can force logout with something like `https://<hostname>/idp/logout.jsp?post_logout_redirect_uri=https://<hostname?/identity/authentication/finishlogout`