blowdart, why can't logout work the same as login?
- User clicks the logout link.
- The site clears its cookie and directs you to the IdP logout page.
- The IdP asks you to confirm logout. (This may be optional; leaving out this step could annoy users who click on malicious links that log them out.)
- Assuming logout is confirmed, the IdP clears its cookie.
- The IdP forwards you to a URL specified by the originating site.
The malicious use in 3 is why