I must disagree on that, between IDP and SP there is a Single logout.
Conditionally when both the IDP and the SP have a Single logout endpoint defined in their Metadata.
When above is true:
- a logout on the SP will trigger a logoutrequest to the IDP ( SP initiated)
- a logout at the IDP will trigger a request to the SP to also logout (IDP initiated)
That being said most of the time the caveat is that when using a SAML-SP module in front of an application (like with CheckMK) there is no backchannel from application to SP to check if a user has logged off or not.
Same goes for the SP to the application, there is no webhook to let the SP inform the application the user is logging out.
When a user logs out of the application in this case one normally makes a redirect to the global logout page of the IDP, which in turn then does a logout request to the SP to also kill the session there.