Troubleshooting Multi-Service Portal with Multi-SSO Login 'Logout' redirectIssue In a custom or non-custom URL setup where there are two or more IdPs configured, you want to direct users to a certain service portal for SSO login using a URL pointing to a service portal and have single logout work correctly with the respective IdPs. For example, the service portal URLs are csm (https://<instance_name>.service-now.com/csm) and test_sp (https://<instance_name>.service-now.com/test_sp), with different sets of SSO IDP profiles (in this case, the OIDC provider is OKTA) used for login and logout functionality. ‘Logout’ redirection works fine for the first portal URL setup as expected, but for the second portal URL logout from the test_sp portal, you will stay on the same page and the user is not logged out.ReleaseApplies to any release.CauseTracing the logs for the non-working scenario for logout from HAR and backend logs, you will observe the below-mentioned error. *** ERROR *** SAML2: signSAMLObject : SAML Object could not be signed. Ensure Singning Key Alias and Password values are set correctly to Extract the certificate for signing. ***ERROR *** SAML2: SAML2Error: generateCredential:Service Provider key password is null. Could not validate SAML LogoutResponse *** ERROR *** SAML2: SAML2ValidationError: Failed to validate logout response status. Expected: urn:oasis:names:tc:SAML:2.0:status:Success, Actual: urn:oasis:names:tc:SAML:2.0:status:RequestUnsupportedResolutionPre-migration Check: Identify if the Keystore is being used Kindly follow the below steps to confirm if existing SSO integrations in your instance are using the keystore: Go to Multi-Provider SSO > Identity Providers (IdP)For every active IdP, check if any of the below checkboxes are set to true; if yes, then keystore is being used. Encrypt AssertionSign AuthnRequestSign LogoutRequest Signing Signature Algorithm value to be checked as noted in the KB article.KB0753604 Manually re-entered the OOB password ('saml2sp' no quotes) in the Identity Provider[saml2_update1_properties]glide.authenticate.sso.saml2.keystore was pointing to the old expired certificate. Update it to point to the "SAML 2.0 Keystore_Key2048_SHA256_FIPS" sys_certificate record. Steps to migrate from the expiring SAML 2.0 SP Keystore to the new Keystore are documented in this KB article.KB0994948 Single Logout is to be enabled on the Okta admin interface; instructions are to be followed under the 'Single Log Out' section in this documentation: How to Configure SAML 2.0 for ServiceNow