Hi Jay, Have you checked our [logout docs](https://gluu.org/docs/gluu-defaults/logout/)? Thanks, Will

yes i have. how do i modify the idp xml to use: https://<hostname of Gluu Server>/idp/logout.jsp in the xml: <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/> also what does the field in the trust relationship do? SP Logout URL (optional)

Hello Jay, >> yes i have. how do i modify the idp xml to use: You don't need to, you just have to call this url from SP side. We highly discourage to modify any configuration file from inside. Gluu Server's oxTrust ( GUI ) is sufficient enough to achieve 99% jobs. >> also what does the field in the trust relationship do? SP Logout URL (optional) It's purpose was to provide the Logout URI for those SP which are built internally ( i.e. by configuring Shibboleth SP or with any other SP system ) but it's not tested properly.

I am supporting 2 different IDP(s) how do i call the gluu saml logout url from the spring sample saml SP app. Generally its done by reading the idp.xml ``` <!-- Logout handler terminating local session --> <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <property name="invalidateHttpSession" value="false"/> </bean> <!-- Override default logout processing filter with the one processing SAML messages --> <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> <constructor-arg index="0" ref="successLogoutHandler"/> <constructor-arg index="1" ref="logoutHandler"/> <constructor-arg index="2" ref="logoutHandler"/> </bean> <!-- Filter processing incoming logout messages --> <!-- First argument determines URL user will be redirected to after successful global logout --> <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> <constructor-arg index="0" ref="successLogoutHandler"/> <constructor-arg index="1" ref="logoutHandler"/> </bean> ```

A few thoughts here: 1) Assuming you are using a custom authentication script, in a pinch, you can use the logout method to send callbacks to uncooperative backend applications. 2) OpenID Connect logout works through the Front Channel (browser). This works well, because apps can clear their cookies. If you can figure out how to register the SAML apps as OpenID Connect clients, the logout URL will sent to the browser by calling OpenID Connect logout endpoint. Net, net, there is usually a way to get your logout use case to work, but it may take some work.

it would be easier to append the gluu idp.xml in my sp and add <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ec2-52-38-74-142.us-west-2.compute.amazonaws.com/idp/logout.jsp" ResponseLocation="https://ec2-52-38-74-142.us-west-2.compute.amazonaws.com/idp/logout.jsp"/> I am dealing with multiple IDPs in the same SP instances and have to use the conventions in the spring xml: <!-- Logout handler terminating local session --> <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <property name="invalidateHttpSession" value="false"/> </bean> <!-- Override default logout processing filter with the one processing SAML messages --> <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> <constructor-arg index="0" ref="successLogoutHandler"/> <constructor-arg index="1" ref="logoutHandler"/> <constructor-arg index="2" ref="logoutHandler"/> </bean> <!-- Filter processing incoming logout messages --> <!-- First argument determines URL user will be redirected to after successful global logout --> <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> <constructor-arg index="0" ref="successLogoutHandler"/> <constructor-arg index="1" ref="logoutHandler"/> </bean>

If you end the SAML session only, the Shibboleth IDP will just create a new session if it finds a valid OpenID Connect session. This is not going to get solved before we upgrade to Shib IDP version 3.0. I created a github issue to track this enhancement: [https://github.com/GluuFederation/oxShibboleth/issues/5](https://github.com/GluuFederation/oxShibboleth/issues/5)

that might work for me so long as the SP app that initiated logout; has the saml credential data destroyed; i dont care if the other SP(s) dont get logout invoked. as long as the spring code is followed.