Tom Jackman Given that KC provides the brokered IDP, I think it's for KC to handle how to disconnect the user session from the IDP?

I think we can make this task more clear: implement the logout function by invalidating the session from KC and remove any local auth state data. Let's not worry about the brokered IDP yet. Is that ok with you?