service provider (or maybe in example/): figure out and implement logout service

[crewjam]

No description provided.

[crewjam]

Okay, so I think the logout service conceptually in SAML is rather silly.
ref: http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

At a high level, when a user wants to log out, the SP sends a logout request to the IDP. The IDP sends logout requests to all other SPs (except the one that made the request). The other SPs respond to the IDP, and the IDP responds to the users.

The spec says when an SP receives a logout request, it should invalidate the session. Now imagine the case where the implements it's local user session by issuing a signed token (i.e. JWT). There is effectively no way to invalidate a JWT once issued without introducing some kind of datastore you check against. the beauty of JWT is you don't have to read a database to auth a request.

Ugh!

So for now, the decision is to not implement logout

[james-async]

Any chance you could reconsider supporting logout? I'm not asking for full, but what about supporting sp-initiated logout. I see three possible paths and am advocating option 3 below:

1. full support of logout
2. support idp-initiated logout (as noted above this is silly)
3. support crewjam driven logout to support the service provider that is using crewjam to initiate logout

I could possibly help with a patch but am uncertain of where to start -- where public API would be added.