Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.

Given: EAP instance EAP1 with PicketLink SP1 EAP instance EAP2 with PicketLink SP2 EAP instance EAP3 with distributable PicketLink IdP EAP instance EAP4 with distributable PicketLink IdP no load balancer to simplify the test case SP1 targets IdP @ EAP3 (set in picketlink.xml config) SP2 targets IdP @ EAP4 (set in picketlink.xml config) Procedure: When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK] When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK] When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK] When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE] user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2