Local logout without involving the OP

[trantor]

Hello.
I am setting up the module to protect a web application. I'd like to know how to perform a simple local logout that does not involve the OP. I've looked through the wiki but I mostly see references to Single Logout and not how to initiate a Local Logout.

Could anyone help me with that?
Thanks in advance

[zandbelt]

If your OP does not support Single Logout, hitting the logout endpoint of mod_auth_openidc will indeed just kill the local session; if the OP supports SIngle Logout and you don't want to use that, you can just remove the mod_auth_openidc_session cookie.

In the latter case however you need to be aware that the OP probably maintains an SSO session and hitting a protected page again will just result in an SSO trip to the OP without explicit login so the practical value of local logout is limited.

[trantor]

Thanks @zandbelt for the lightning-quick answer. What you described, although admittedly of limited value, is the same behaviour we've seen used by several of our customers using SAML or CAS SSO authentication.
To sum it up there is no builtin mechanism to achieve just a Local Logout with a redirection, what one could achieve with a Shibboleth SAML SP for instance. It's deleting the cookie and then perform a manual redirection. That's what we do with the mod_auth_cas CAS module, so I know exactly how to achieve that. Thanks for the clarification.