Clarify that OPs must send a logout notification to the RP that requested RP-Initiated Logout

Issue #1134 resolved
Michael Jones created an issue

When an RP sends an RP-Initiated Logout message to the OP, the OP MUST still request that that RP log out if it believes that it was logged in. (This notification can happen via Session Management, Front-Channel, or Back-Channel.)

This means that the RP need not clear its logged-in state before sending the RP-Initiated Logout message (although it is also free to do so).

This issue resulted from the discussion at

Comments (3)

  1. gffletch

    I think the guidance for the RP is that they SHOULD log the user out before sending the user to the OP rather than waiting to get a logout callback from the OP.

  2. Hans Zandbelt

    @gffletch that’s the current wording, but makes it confusing to determine whether the initiating RP should expect to be called back or not

    If we agree to adopt the proposed text in this issue, then I suggest to drop the current text about logging out users before redirecting to the OP

  3. Log in to comment