With OIDC Provider logon, the user gets a session store entry. This presumably stores the refresh token, and other session attributes.
When the OIDC Provider log's on they also get an SMSESSION cookie in the primary domain.
We want to know if there is SLO enabled, and the SMSESSION user logs out - are the associated OIDC session entries also deleted?
For background :
We are looking at session coordination across OIDC Relying Parties. (and options for SLO across the OIDC Relying parties).
I am aware of the following :
And appreciate the logout in the relying party to be properly implemented would need some co-ordinated call to the replying party.
But, what we want to check is if (locally) when the SMSESSION user logs out, with SLO set, does that delete the entries in the local session store for the OIDC Provider setup (this will be entries for refresh_token, etc).
We assume the call to verify token, or refresh token from the relying party will return failure or false when the OIDC session store entries are deleted.
And would like to know if that deletion is (or perhaps can be ) coordinated with the SMSESSION SLO logout.
Release : 12.8.03
Component : SITEMINDER -WEB AGENT FOR APACHE
As have probably found there is no documentation on this, but I have found a previous case where the following was asked:
"How do we kill the smsession, when user hits logout on the client? Is there a logout endpoint for OIDC?"
"you will need to use the Agent logoffUri to remove the smsession"
And also a link to this idea:
So, it would appear that the answer is no.
For your convenience, here is the doco for logoffUri: