The session cookie for IdP aren’t invalidated after logout. The old session identifier may be saved (using a tool such as Chrome’s ‘EditThisCookie’) and reused to gain access to the application. Please check and confirm, if this is the right case.
The actual authentication mechanism employed by the application is up to the application and not dictated by our component.
If the IdP creates an authentication cookie at login, the IdP is responsible for clearing this cookie on logout.
Our component doesn’t create, manipulate or clear these cookies.
In our example projects, whether using forms authentication or OWIN, it’s the application that’s responsible for logging out the user and clearing the cookie.