Just make the logout button in your application
redirect the end user's browser to the IdP's logout URL after logging them
out of your application. The drawback to this angle is that if the IdP
serves multiple applications, the end users might be annoyed that they
now need to retype their password to get into, say, the expense reimbursement
system. In this model, you need a shift in mind set -- logging out
of an individual application is meaningless, you need to log out of the
IdP directly, kill your browser window, or lock your workstation in order
to protect your system.
Another approach that some folks use
is to configure their IdP to not generate session cookies and require the
end user to log in each time. This provides a central point of authentication,
but still requires the end user to type and retype their username and password
again and again and again. Some people consider this to be a good thing.