As well as any session your site maintains for a user, there is also a session maintained by your OpenAthens SP instance. To end this, the user should be forwarded to the logout path specified in the configuration. The default is /oa/logout (e.g: https://sp.yourdomain.com/oa/logout), with a transparent action - i.e. it is expecting there to be a page of your own there or a redirect, perhaps to your own logged out page.
This will end the local OpenAthens session without affecting the users' session with their identity provider for single-sign-on to other resources.
If you want to additionally offer the end-user the facility to sign out of their identity provider, the nature of SAML and diversity of IdP software means the location to send the user is inconsistent and often unknown so we do not recommend it. In situations where a signout URL is known (e.g. in the OpenAthens federation it is always https://login.openathens.net/signout) it becomes possible and the things to consider would be:
- The sign out of the IdP must be separate from your own sign out - i.e. signing out of your service must not automatically sign a user out of their IdP as they will usually have other resources to access. You should either...
- offer two sign out options such as: "Sign out of Cool-Resource", and "Sign out of Cool-Resource and your institution", or
- offer a separate sign out option for the IdP in the place that confirms the user is signed out of your resource - perhaps on the /oa/logout page.