Is supporting backchannel logout a hard requirement of integration with CIS2? Documentation to me does not explicitly state.
I understand it’s benefits and we are openid connect, have support and would use it as we would want to end all sessions from an experience perspective.
However i’m just trying to clarify if this is the stance in a general context.
Its use is currently strongly recommended where your users are predominantly existing smartcard users and are used to pulling the smartcard to end sessions. It is essentially providing a migration path for user behaviour towards a more standards based service, where users and applications will take more responsibility for managing and ending sessions when their work is done.
It’s not mandatory, but may be required depending on what resources and data is being accessed with the authentication, and essentially who is empowered to accept the risk of not having it.
It is particularly important on shared machines where the user is not locking or logging off the OS.
There will be some guidance changes coming out around this in the not too distant future.