Merge pull request #982 from DuendeSoftware/wca/checksession-and-logout

Clarify that external IDP federated sign-out typically uses the front-channel logout approach

Author: maartenba

.gitignore

@@ -21,4 +21,5 @@ pnpm-debug.log*
 # macOS-specific files
 .DS_Store
 .vscode/settings.json
-*.iml
+*.iml
+.idea/**/copilot.data.migration.*.xml

src/content/docs/identityserver/ui/logout/external-notification.md

@@ -22,6 +22,12 @@ out" page.
 IdentityServer must then notify all of its clients (as discussed [here](/identityserver/ui/logout)), also typically in the form of a
 request in an `<iframe>` from within the external identity provider's `<iframe>`.
 
+:::note
+To configure federated sign-out from an external identity provider, please refer to the documentation for your specific
+external identity provider. When using an OpenID Connect identity provider, this is typically configured using the
+front-channel logout URI.
+:::
+
 What makes federated sign-out a special case (when compared to a normal [logout](/identityserver/ui/logout)) is that the federated
 sign-out request is not to the normal sign-out endpoint in IdentityServer.
 In fact, each external IdentityProvider will have a different endpoint into your IdentityServer host.
@@ -36,7 +42,7 @@ federated sign-out.
 
 Fortunately IdentityServer already contains this code.
 When requests come into IdentityServer and invoke the handlers for external authentication providers, IdentityServer
-detects if these are federated signout requests and if they are it will automatically render the same `<iframe>`
+detects if these are federated sign-out requests and if they are it will automatically render the same `<iframe>`
 as [described here for logout](/identityserver/ui/logout).
 
-In short, federated signout is automatically supported.
+In short, federated sign-out is automatically supported.