diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7f43c9..841829e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## Unreleased
+
+Expose `SaveTokens` option on `OneLoginOptions`.
+
+
 ## 0.3.1
 
 Adds `NationalInsuranceNumber` member to `OneLoginClaimTypes`.
diff --git a/src/GovUk.OneLogin.AspNetCore/OneLoginOptions.cs b/src/GovUk.OneLogin.AspNetCore/OneLoginOptions.cs
index f8969f9..a522d60 100644
--- a/src/GovUk.OneLogin.AspNetCore/OneLoginOptions.cs
+++ b/src/GovUk.OneLogin.AspNetCore/OneLoginOptions.cs
@@ -34,9 +34,6 @@ public OneLoginOptions()
             GetClaimsFromUserInfoEndpoint = true,
             UseTokenLifetime = false,
 
-            // We'll save the ID token ourselves - we need it for sign out
-            SaveTokens = false,
-
             MapInboundClaims = false,
             DisableTelemetry = true
         };
@@ -156,6 +153,13 @@ public CookieBuilder CorrelationCookie
     /// <inheritdoc cref="OpenIdConnectOptions.Events"/>
     public OpenIdConnectEvents Events { get; }
 
+    /// <inheritdoc cref="RemoteAuthenticationOptions.SaveTokens"/>
+    public bool SaveTokens
+    {
+        get => OpenIdConnectOptions.SaveTokens;
+        set => OpenIdConnectOptions.SaveTokens = value;
+    }
+
     internal OpenIdConnectOptions OpenIdConnectOptions { get; private set; }
 
     internal bool IncludesCoreIdentityClaim => Claims.Contains(OneLoginClaimTypes.CoreIdentity);
@@ -223,7 +227,10 @@ internal Task OnRedirectToIdentityProvider(RedirectContext context)
 
     internal Task OnTokenResponseReceived(TokenResponseReceivedContext context)
     {
-        if (context.TokenEndpointResponse.IdToken is string idToken)
+        // Always store the id_token, even if SaveTokens is false;
+        // without it sign out doesn't work end-to-end.
+
+        if (!context.Options.SaveTokens && context.TokenEndpointResponse.IdToken is string idToken)
         {
             context.Properties?.StoreTokens(new[]
             {