When SAML logout is initiated via web browser by navigating to:

https://gluu.server/idp/Authn/oxAuth/logout

the logout flow proceeds with the following HTTP requests:

GET https://gluu.server/oxauth/restv1/end_session?id_token_hint=.....
GET https://gluu.server/idp/Authn/oxAuth/ssologout?sid=.....

For both GET requests, Gluu server returns 200 OK responses:

For the first one (end_session)

HTTP/1.1 200 OK
Date: Wed, 10 Jul 2019 06:01:41 GMT
Server: Jetty(9.4.12.v20180830)
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-transform, no-store
Content-Type: text/html
Pragma: no-cache
Content-Length: 449
Set-Cookie: consent_session_id=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
session_id=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
opbs=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;HttpOnly
Connection: close

For the second one (ssologout):

HTTP/1.1 200 OK
Date: Wed, 10 Jul 2019 06:01:42 GMT
Server: Jetty(9.4.12.v20180830)
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 0
Connection: close

In the above response to ssologout, Content-Type header is missing, which confuses Safari web browser on e.g. iPad - it offers to open 'ssologout' with some binary application. Such web browser behaviour is correct according to RFC7231: If a Content-Type header field is not present, the recipient MAY either assume a media type of "application/octet-stream"...

To fix - response to ssologout should contain
Content-Type: text/html

1. Login to oxTrust UI as admin
2. Navigate to OpenID Connect > Clients
3. Select the Client IDP client
4. Copy the Preset Front Channel Logout URI (https://gluu.server.url/idp/Authn/oxAuth/ssologout)
5. Remove the value > Update
6. Again set the value which copied > Update

Now check. This worked for me.