mod_sso should set X-Frame-Options
Since the logout mechanism involves loading the /sso_logout service endpoint into an IFRAME, mod_sso could set the proper X-Frame-Options for increased security. We know the login service URL, so it should be possible to use the 'ALLOW-FROM uri' syntax in the header.