Hi, Philip. >I saw this line said by Yuriy Zabrovarnyy "From here if app-A calls /end_session endpoint it returns html page with iframes which loads all frontchannel_logout_uri and force to logout app-B too (and all other apps that take part in this SSO session)". That's a good summary of the process. As you mentioned you've read the spec itself, I'm not sure what else here to add. All your apps must support the spec for the whole thing to work. When user initiates logout at one of those apps, it will first have to send them for logout to Gluu, the way you described at the beginning of your post: > I am able to logout by calling https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token] When user's session at Gluu is explicitly terminated this way, at some point user will be redirected to a special page with iframe containing logout url(s) for OIDC client(s) which registered its "Front Channel Logout URI" at Gluu (thus notifying Gluu they support this spec and want to utilize it). Here is an example source code of that page: ``` <!DOCTYPE html><html><head><script>window.onload=function() {window.location='http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e"></iframe></body></html> ``` If there are several such clients, this page will contain several logout urls, and they all will be requested by their browser. From the moment "http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e" is requested by user's browser, it's responsibility of the RP to end user's session there. Please note we don't provide support for custom client's development, but you can find more details in the spec you mentioned.

Thank you for your kind response! If my understanding is correct this is your Post Logout Redirect URI ('http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb') and this is the frontchannel_logout_uri (http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e) you registered in one of your clients. So if I request "https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token]" the user will be redirected to a special page which may look like this: <!DOCTYPE html><html><head><script>window.onload=function() {window.location='http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e"></iframe></body></html> before the user will be redirected to the Post Logout Redirect URI(As of now in my progress I'm currently here I also saw this "Gluu Generated logout page" before going to my post logout redirect URI but back then I have no idea what it is :D). To continue so these frontchannel_logout_uri which are in iframes are the ones responsible in telling Gluu that the user has logged out in the app then Gluu will force logout the other applications? Is that how frontchannel_logout_uri works? but, I tried not to put frontchannel_logout_uri in one of the client and the session still got ended. Correct me if I'm wrong because I'm quite confused on what is the purpose of frontchannel_logout_uri. Hoping for your patience.

Hi Guys, Was able to find a way on how to implement my Desired logout flow. Thanks for the support! Will close this ticket now.

Hi Philip, I'm evaluating gluu for our SSO and I'm having hard time figuring out the best way to implement the logout as in your scenario! Would you mind sharing how you end up implementing it? Thank you, Modjo