When a user is logging out from a system that logs via SSO, does the system need to invalidate the global session of SSO?
In general, it is not necessary to invalidate SSO session. For example, if you are using Microsoft Azure AD (Office365) to SSO into your application, invalidating SSO would also log out user from all office applications. Log out user from your application without SSO invalidation would destroy current user application session, but if user navigate back to your application with still valid SSO session your application authentication module would create new user session without asking for credentials. You can see all interaction in browser web tools, assuming it is aa web apps. So for the user it seams that no log out had been happened. You can implement SSO through application "login/landing" page. If unauthenticated user tries to access application it would be redirected to a "login/landing" page with a URL or button to SSO. If user click/push on SSO , user get redirected to "real" sso login page - usual SSO authentication flow. In such scenario, logged out users with valid SSO session would ended up on application "login/landing" page instead of get directly to apps internals pages, but still enjoy login without credentials (SSO) when follow the link.