After more research, I see that SAML allows IDP-initiated logouts (which lead to a logout request sent from the IDP to the SP and the response in the opposite direction).
Is this possible with Picket Link?
Yea, sure, this is supported. In fact, the PicketLink SP even doesn't know whether it was an IDP-initiated logout or a logout initiated by another SP which participated in the same session. In both cases, it handles the logout request.
More behind the hood of PicketLink: the SamlSingleLogoutReceiver not only has a processIDPResponse method (for handling the response to a logout initiated by PicketLink), but also a processIDPRequest method (for handling a logout request coming in from the IDP).
These days there was a forum discussion about this IDP-initiated single logout functionality:
Great. Thanks. Is there any configuration needed to enable it or will it just be a regular SAML request-response between the IDP and the SDP?
I was still editing my response when your answer to the previous version of my response was coming in. So please read the updated version for some more details.
Regarding your last question: no additional configuration is required.