Thank you for your question.
When RapID-SL authenticates, it simply authorises a WordPress logon directly with a cryptographic signature that the plugin verifies directly. Unlike Clef, there is no reliance on an external authentication service, which improves privacy and reliability.
Once the RapID-SL user has authenticated and logged in to the site, they are then under the ‘session time out’ control of the individual WordPress site.
We appreciate that it would be useful for the user to revoke a session from within the app. This is a great suggestion and something we will seriously consider.