Logout refers to the ability to discontinue authenticated access to a service in such a manner that subsequent access attempts will require a user to reauthenticate using the same kinds of credentials that would have been used originally. With many/most non-web applications, logout involves ending a network "session" (e.g., a TCP/IP connection or a set of connections using a particular session key to protect messages). The ordinary web browser makes this model impossible because HTTP is stateless, and sessions always span multiple connections and are divorced from the transport security layer unless TLS authentication via a certificate is used.
Shibboleth reference point: https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
Possible topics:
- Localized vs. Non-Localized Logout
- IdP-Only vs. Global/Single Logout
- Front vs. Back Channel
- Implications for Sessions and Authentication Integration Strategies
- UI