[keycloak-user] IDP Logout for SPs which don't support SAML Logout

Hi all, We are using KeyCloak as IDP to support SAML authentication for different SPs. Some of the SPs don't support SAML logout (such as Salesforce). They only support setting up a GET Logout URL provided by the Identity Provider. https://success.salesforce.com/ideaView?id=08730000000DjseAAC I came across this bug reported in Jira, which suggests to use OpenID Connect protocol to logout as a workaround. https://issues.jboss.org/browse/KEYCLOAK-3476 I tried that approach but it didn't work for me. I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under Salesforce SP and provided https://mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-... as logout URL in Salesforce. But when I tried to logout from Salesforce, it failed for me with following exception. 2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: ht // mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?... at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114) at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) 1. Am I missing something here? 2. Also is there any plan to add a generic logout URL (as suggested in KEYCLOAK-3476) which can be used for such SPs. Regards, Muein