What does logout mean in a federated context?

[surfnet-niels]

The proposal describes how federated login should work (https://github.com/privacycg/is-logged-in#federated-logins) and how the federated login provider needs to call the API as part of the login to the destination website.
What is however the expected behavior of both entities upon logout?

Should logout for one site remain 'local' to the current destination website or should that trigger 'global' logout at the federated login provider for all sites the user has recently logged in?
The former scenario may create a false sense of security for the user, as it may seem logout was done, but pressing login again may trigger (automatic) re-authN at the federated login provider a the user may still bel authenticated there.
The latter might create havoc if users get logged out of all site the currently have logged into.
Also, how would such a feature interplay with Single Sign-on capabilities of a the federated login provider?

[gffletch]

Unfortunately, logout in a federated identity provider sense is a mutually exclusive problem. The classic description goes like this...

1. The user is logged into gmail and reading their mail in a tab. The user then opens a new tab, goes to hikingtrails.example and selects the "Sign-in with Google" option. When the user logs out of hikingtrails.example, they shouldn't be automatically logged out of gmail (or at least that is not likely what the user expects to happens).

2. The user goes directly to hikingtrails.example and selects the "Sign-in with Google" option. When the user logs out of hikingtrails.example they may not remember that they are also logged into Google and need to logout there as well.

Both are valid cases. The general best practice from an identity perspective is for hikingtrail.example to inform the user at time of logout that they logged in via Google and if they want to logout at Google they need to go to Google to logout (possibly providing a link to make it easy for the user).

I'm not sure how to implement that best practice with IsLoggedIn()

[samuelweiler]

I agree the usual user expectation is "logout for one site remain 'local' to the current destination".

'global' logout is also useful but, if we decide to add it, it should be added in parallel - adding complexity to the UI. (ick)

[samuelgoto]

A related (but possibly orthogonal question, so happy to kick off a separate issue), are the implications of "setting setFederatedLoggedIn()" for logout. I know we have resisted so far being opinionated about the implications, but "front channel logout" requires the IDP to embed iframe RPs with third party cookies, and I'm wondering if "setFederatedLogIn()" allows that to work.

We've been collecting some thoughts on logout here in case that helps.

[vibronet]

Assiciated to the discussion we are having on the Privacy CG call, please find a description of the front page logout: https://github.com/IDBrowserUseCases/docs/pull/23/files?short_path=36331a3#diff-36331a3ef573312d503814870d50fc46ee6e69efc1b20c73e5d1606f9dd18104

[gffletch]

One additional comment. We need a solution for SAML flows including logins that start with the "IDP Initiated" flow which may be more difficult to classify.