SSO i usually done using a ready SSO product for example OpenAM or shibboleth
- This differs from product to product but normally the application installs an agent that acts as a filter that checks if the user is authenticated with the IDP, if not the filter redirects the user to the IDP.
- Normally there is an authenticated session in the SSO products that only keeps the state of authentication, you still have a session on your application to keep application specific user information.
- This can also be handled by the product. There are generally two ways to do logout. By redirect or SOAP. with redirect the user is redirected to the IDP and then the different SPs that its signed into. In SOAP your application does a webservice call to the IDP, requesting logout. The IDP then sends logout requests to the other SPs. Redirect is the recommended method.
I recommend reading the technical overview on SAML from Oasis
On my blog I have some posts giving some introduction to SAML
In my book, A Guide To OpenSAML, I also write alot about this