Hi, I have set up Keycloak with a SAML2 Identity Provider and I have a client application configured to authenticate against Keycloak using SAML2. If I logout from the application, the logout happens correctly using browser redirects and the user is logged out from the application, from Keycloak, and from the identity provider. But if I logout from the Identity provider, the provider sends a logout request to Keycloak but Keycloak does not send the logouts to the clients. I have checked the source code regarding this and in the second scenario Keycloak uses only the backchannel logout and does not even attempt to do the browser / frontchannel logout. In my case backchannel logout is not supported. In the source code I can see that in SamlService class (which is being invoked when I do the logout from the application) it uses either browser logout or backchannel logout https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4... But in the SamlEndpoint class (which is used when the identity provider sends the logout request to Keycloak) it only attempts the backchannel logout: https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e2... Is this the way it's supposed to work or is Keycloak just missing this feature? Br, Sauli -- Sent from: http://keycloak-user.88327.x6.nabble.com/