We use SimpleSAMLphp as SAML implementation on IdP side. There is a SP configured to authenticate users through the IdP. My question is about log out process. When user logs out from SP, the session to IdP persists. If I try to log in to SP one more time, it uses the current session to IdP and does not request credentials. How can I log out the user from IdP? I know that I can configure SingleLogoutService, but the SP does not support it. Does simpleSAMLphp provide a user-friendly page for log out? What are the best practices?
If the SP doesn't support SLO, then you're SOL. Sorry. Couldn't resist.
Seriously, though... Not a lot of SPs support SLO. There's reason - all it takes is one SP not supporting it, or being unavailable to process the SLO request, and it "breaks the chain".
If the SP supports redirecting to the user to a page after logout, you could configure it to redirect to the IdP's authentication method's logout page to invalidate that token... But as far as destroying the actual session at the IdP itself, the best way to handle that is make it a short-lived session (forcing revalidation of the authentication service's session).
Ultimately, make darn sure you want to support logout requests (beyond the browser session).