Hi, Philip.
>I saw this line said by Yuriy Zabrovarnyy "From here if app-A calls /end_session endpoint it returns html page with iframes which loads all frontchannel_logout_uri and force to logout app-B too (and all other apps that take part in this SSO session)".
That's a good summary of the process. As you mentioned you've read the spec itself, I'm not sure what else here to add. All your apps must support the spec for the whole thing to work. When user initiates logout at one of those apps, it will first have to send them for logout to Gluu, the way you described at the beginning of your post:
> I am able to logout by calling https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token]
When user's session at Gluu is explicitly terminated this way, at some point user will be redirected to a special page with iframe containing logout url(s) for OIDC client(s) which registered its "Front Channel Logout URI" at Gluu (thus notifying Gluu they support this spec and want to utilize it).
Here is an example source code of that page:
```
<!DOCTYPE html><html><head><script>window.onload=function() {window.location='http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e"></iframe></body></html>
```
If there are several such clients, this page will contain several logout urls, and they all will be requested by their browser. From the moment "http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e" is requested by user's browser, it's responsibility of the RP to end user's session there. Please note we don't provide support for custom client's development, but you can find more details in the spec you mentioned.