Session management without support by the Id Provider

Question

I want to migrate an application to use an OpenId Connect provider only for authentication (and perhaps authorization), but continue using the existing session creation and management facilities of the application.

It seems for that I wouldn't need any OpenId Connect support, including what OIDC offers in terms of session management. In other words, I can just ignore OpenID Connect session management altogether. Is that correct?

The only somewhat strange phenomenon is that when my non-OIDC session expires, a new one will be created without the user having to enter their credentials. That's OK, even if somewhat strange coming from a classic per-application session/authentication background.

Answer 1

In general federated SSO protocols like SAML and OpenID Connect transport user identity information in a verifiable token between domains but they don't create a session. Upon receiving the token the application is responsible for creating a session if it needs one, maintaining it and eventually killing it, though as you mention, killing a local application session in an SSO system doesn't bring you much.

Killing all application sessions and the SSO session would be useful and is called Single Logout but is optional in the afore-mentioned federation protocols.