I verified that SAML2SPSessionCreationStrategy creates BasicSPSessions for OIDC RPs, as its code contains the following if-clause:

I fully agree that we should create OIDCSPSession once the logout is supported, but at this point I feel that BasicSPSession creation by default is satisfactory. However, a new property idp.oidc.SPSessionCreationStrategy enables injecting a custom session creation strategy already, but I kept the default at the SAML2 one that creates BasicSPSessions.

Once is implemented, it should contain creation of OIDCSPSessions, and by then we’ll also know what properties that class should carry.

I didn't bottom out the code but from memory, this is actually not quite right yet. That class creates a SAML2SPSession, not a BasicSPSession. Since we're looking at another patch anyway, we should just go ahead and create an OIDCSPSession class and adjust this accordingly.

BasicSPSession is now put to the IdP session during the front-channel OIDC authentication sequence.

Yes, for now that’s good enough, it gets them cataloged for those using the UI.

It seems that the existing codebase for SAML is also able to create a BasicSPSession for the OIDC RPs.

If the authorize-flow evaluats the following bean (exactly the same definition in flows/saml/saml2/sso-abstract-beans.xml)

SAML2SPSessionCreationStrategy seems to create a BasicSPSession that contains client_id of RP as the id.

I also verified that OIDC RP appears in the logout page after this change.

Does this sound acceptable before a proper OIDC Logout support? Obviously we could also create a new OIDCRPSession as proposed in the description, but the contents at this phase would probably be equal or very close to BasicSPSession.