Using Hybrid flow and back-channel logout, and trying to single sign out multiple user sessions when the user signs out of one session.
If I use the same browser, then I have no problem SSO the user, one client redirects to IDSRV4 logout page, and IDSRV4 invalidates the session, sends a back channel logout request to the client and the session cookie "idsrv.session" is deleted from the browser. Client 2 then makes a request and notices that there is no authentication cookie and redirects to IDSRV4 for login.
When I open Client 1 and Client 2 in different browsers, Single Sign On fails to work, and the user must enter credentials in each browser (expected, since the browsers do not share cookies).
However, I would like to still be able to invalidate all sessions of the user when they log out of IDSRV4, and send back channel logout requests to each client
I have tried implementing the LogoutSessionManager/CookieEventHandler in each client (that's how the back-channel is working in the same browser). However, IDSRV4 never sends the Logout request to the second client, only the one that initiated the log out request. But since the logout request deletes the "idsrv.session" cookie, then the other client is effectively "logged out."
I have thought about implementing a state server as described in this SO IDSRV4 question, but have not yet started because the terminology of "lazy-signout" and triggering a challenge is new to me and I haven't researched them enough quite yet.
Any and all help, or ideas are appreciated. Thanks
