General SSO authentication question here. When a user initially visits your application you authenticate them with the identity provider. They may or may not already be logged in, but either way they authenticate. I'm guessing you don't want to try to authenticate them with every page request, so do you then set a session variable to say they're logged in? And if so, what happens when they intentionally log out of the central system? That should also log them out of your application, but if you're not checking each time, how would you know? The same holds for if their central log in expires. I feel like I'm trying to reinvent the wheel here and don't want to.

my understanding was that most IDP's have multiple methods to sort this for you and you dont always even have to have your own sessions (though that's usually also supported)

from a saml2 perspective you can define a logout url but you need to be able to identify the user from the request so you have to maintain some kind of session. OpenID connect has a couple of options there is session management https://openid.net/specs/openid-connect-session-1_0.html front channel https://openid.net/specs/openid-connect-frontchannel-1_0.html and rp initiated https://openid.net/specs/openid-connect-rpinitiated-1_0.html. but in all cases you need to maintain a session

I'll check those links out. So far I haven't found any good resource that discusses anything beyond the initial authentication process. Thanks!

also look into CRSF tokens used to prevent cross site request forgery attacks. There are other benefits such as if the user just closes the browser and the token isn't stored client side, the user is essentially logged out since the token on the server side would be hard to replicate if your encryption hashing algo is strong. https://www.synopsys.com/glossary/what-is-csrf.html#:~:text=A%20CSRF%20token%20is%20a,token%20for%20every%20user%20session.

That's my main concern, that I'm going to implement something that seems fine but has vulnerabilities like that.