I have been able to get the Workspace Single Sign On feature to work, but now users can't logout of Workspace. It looks like the logout link logs the user out and redirects to the login page, which sees the SSO HTTP headers and logs the user back in.
Does anyone know of a way to correct this behavior?
Unfortunately there is no clean way to detect for SSO. The only thing I can propose is if this is a pure SSO environment then you can remove the logout button in Workspace and recompile/deploy the app.
Yes with LC ES Update 1 (or 8.2.1) its possible to have SSO with Windows domain logon.
The documents explaining that are currently avialable through prerelease site. If you are part of pre-release program you can access it under documentation at User Management > Enabling SSO in LiveCycle ES > Enabling SSO using SPNEGO
Workspace would check and create a session for you once you "create a sso session". After that it does not rely on the "sso session" and instead creates a LiveCycle SSO session. So even if you "terminate" your sso session workspace would not detect it. You would have to explicitly logout from workspace to terminate your LiveCycle session
The intended behavior of Workspace SSO is to not ever allow a user to be in a logged out state unless the context from the point of login expires or is logged out. The fact that we still show the "logout" link when SSO is in use is unfortunate and something we will consider remedying in a future release.