>Not sure what you argue, sorry. The RP decides when to force >re-authentication, Which is either automatic (with SSO) or not (login required at the *RP's* discretion). >but also lets the user self-logout whenever if it so wishes. But why would the user do that, if it could break their SSO? -Shade