blowdart, why can't logout work the same as login?

  1. User clicks the logout link.
  2. The site clears its cookie and directs you to the IdP logout page.
  3. The IdP asks you to confirm logout.  (This may be optional; leaving out this step could annoy users who click on malicious links that log them out.)
  4. Assuming logout is confirmed, the IdP clears its cookie.
  5. The IdP forwards you to a URL specified by the originating site.