This GitLab issue [1] seems relevant. It may be the case that GitLab does not support SAML SP-initiated global logout at this time. You mentioned that GitLab can redirect users to a URI after performing its own logout procedure. This problem then seems to be another instance of KEYCLOAK-3476 [2], i.e. GitLab may be a SAML SP that cannot process LogoutRequest messages but does offer arbitrary redirection. In theory, GitLab can redirect to the OIDC Logout Endpoint [3] which would destroy the Keycloak IdP session that was initially started by a SAML client. Here's a *major* catch -- In my experience with Keycloak v1.9.8.Final, once an invalid configuration has be placed in the "Logout Service POST Binding URL" field for SAML clients lacking LogoutRequest support, that client is now "polluted" and must be deleted and recreated before GLO will work! Subsequently blanking the field would result in Keycloak throwing NPEs. I cannot speak to whether this behaviour is present in more recent versions of Keycloak. Hope that helps, -John Bartko [1] https://gitlab.com/gitlab-org/gitlab-ce/issues/25854 [2] https://issues.jboss.org/browse/KEYCLOAK-3476 [3] <https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc... https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc... ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Сергей Галюзин <galserg(a)gmail.com&gt; Sent: Wednesday, July 5, 2017 11:17:43 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] saml logout hi all! i try use Keycloak as IDP for gitlab via SAML protocol. autentification is work well. but i can't configure integration with logout service gillab can redirect user after logout to customizable url if it redirect to main SAML entry point ( root/realms/{realm}/protocol/saml/) i see error "invalid request" if i try type anybody to field "Logout Service POST Binding URL" and redirect to this url - i see error 404 or blank screen. In the documentation this service is practically not described. Is there a standard entry point for logout servise (like standart SSO point root/realms/{realm}/protocol/saml/clients/{url name}) ? _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user<https://lists.j...