Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:

HTTP ERROR 403 No valid crumb was included in the request

I believe this is due to the , now enforced, CSRF protection

When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

As a workaround, I have tried to : 

• Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
• Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
  The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
• Install and configure the  Strict Crumb Issuer Plugin which provides more options to customize the crumb validation

None of the above worked for me. 
The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true

Other issues seem to suggest that this issue is to be resolved by the plugin used.