Sorry for being so late to the GLO party...
For me the keycloak global logout works, except for the "tiny little
detail" that keycloak fails veryfing my IdP signature response, you can
have a look here 
Apart from  there is no other documentation.
For me setting validateResponseSignature="false" in SingleLogoutService
works. However I would like to make it work with the signature verification.
Did you manage to make it fully working on your side?
El lun., 21 may. 2018 a las 11:51, Leonid Rozenblyum (<lrozenblyum(a)gmail.com>)
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
keycloak-user mailing list
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett