With OIDC Provider logon, the user gets a session store entry. This presumably stores the refresh token, and other session attributes.
When the OIDC Provider log's on they also get an SMSESSION cookie in the primary domain.
We want to know if there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted?
For background :
We are looking at session coordination across OIDC Relying Parties. (and options for SLO across the OIDC Relying parties).
I am aware of the following : https://knowledge.broadcom.com/external/article?articleId=142570&_ga=2.100058590.1768824579.1595989778-1478507459.1594255604
And appreciate the logout in the relying party to be properly implemented would need some co-ordinated call to the replying party.
But, what we want to check is if (locally) when the SMSESSION user logs out, with SLO set, does that delete the entries in the local session store for the OIDC Provider setup (this will be entries for refresh_token, etc).
We assume the call to verify token, or refresh token from the relying party will return failure or false when the OIDC session store entries are deleted.
And would like to know if that deletion is (or perhaps can be ) coordinated with the SMSESSION SLO logout.