Well, I just noticed that the logout request generated by picketlink contains an Issuer, but does not contain a NameID or a SessionIndex.
(I'm curious because NameID/EncryptedID/BaseID is mandatory)
Is this as it should be or have I missed something?
Ryan did picket link solve this problem. I am using opensso and running into same issue
As of version 2.0.1 this was not resolved. We used a workaround specific to our scenario to achieve this.
We invalidated the user session of the current application and hit a ADFS2-specific url to single-sign-out.
Something along the lines of:
<meta http-equiv="refresh" content="0;url=https://my.adfs2.server/adfs/ls/?wa=wsignout1.0" />
If the latest version doesn't work for you, you could try something similar for opensso (based on your specific scenario ofcourse).