By: Junhwan An user 24 Oct 2017 at 8:03 p.m. CDT

3 Responses
Junhwan An gravatar
I'm using Gluu server as SAML IDP. As you know, SAML in Gluu server doesn't support Single Logout so I'm using frontchannel logout feature of OpenID Connect. When I use 'https://<hostname>/idp/logout.jsp' to logout, it works well. It make me logout from both Gluu server and federated 3rd-party. But when I try to logout by 'https://<hostname>/identity/logout' which is in Gluu server itself for logout, it doesn't work with federated site, only with Gluu server itself. If it's a normal behavior because of I'm using SAML not OpenID Connect, please consider that make it works with SAML too.

By Aliaksandr Samuseu staff 24 Oct 2017 at 8:25 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Junhwan. Why exactly do you try to use this other url for logout? Could you refer me to a doc you are following? I also not quite sure what do you mean by a "federated site" in this context. Could you describe your setup and those 2 logout flows you are mentioning in more details?

By Junhwan An user 25 Oct 2017 at 3:18 a.m. CDT

Junhwan An gravatar
I have a Service site that works as SAML SP.(Federated site) And I also have a Gluu Server as SAML IDP. Users login to the Service site through Gluu Server. I set a frontchannel logout uri in Gluu Server as Service site's logout url. And I provide logout url as 'https://<Gluu Server Hostname>/idp/logout.jsp' from the Service site and it works well. (Users can logout from both Gluu Server and Service site) But the problem is that users can access Gluu Server itself to edit their profile. When users logout from Gluu Server itself, they'll use the logout button in Gluu Server's main page and the button's url is 'https://<Gluu Server Hostname>/identity/logout'. This url('https://<Gluu Server Hostname>/identity/logout') works only with the Gluu Server not frontchannel logout uri(Service site's logout url). Actually, I'm not sure that the frontchannel logout feature apply to SAML because frontchannel logout feature belongs to OpenID Connect not SAML. I followed 'https://gluu.org/docs/ce/3.1.1/operation/logout/'

By Mohib Zico Account Admin 01 Nov 2017 at 6:22 a.m. CDT

Mohib Zico gravatar
>> This url('https://<Gluu Server Hostname>/identity/logout') works only with the Gluu Server not frontchannel logout uri(Service site's logout url). `/identity/logout/` won't work for SP's logout; it's only Gluu Server's `oxTrust` component logout. What you are using for Shib logout `/idp/logout` from SP is the proper one for logging out from any SP. I think you might have two options... - Whenever user logout from Gluu oxTrust through `/identity/logout`; there is a page showing that.. "You are logged out". You can add something like "Close the browser for complete logout" there; so user will close the browser. - Or.. use OpenID connect in total. OpenID Connect has front-channel / back-channel features.