Somehow, login out a Drupal user by accessing the logout URL (/user/logout) directly (type in the address in the Chrome browser) could end up loading the logout page twice in a very short period of time (less than 2 second).
It might be a Chrome bug occurring in an edge case.
See https://issues.chromium.org/issues/41276238
When logging out a Drupal user, this module will call the SimpleSAML\Auth\Simple::logout() to send a SAML logout request to IDP. once the IDP finishes the logout process on their end, it will redirect to the SP's logout endpoint, which is the SimpleSAMLphp logout endpoint in our case.
The duplicated logout page loading will interrupt the SAML logout process before the IDP has a chance to redirect to SP's logout endpoint to inform the SP to logout the user on the it's end.
It happens to Chrome browser randomly and it seems fine if logging out a user by clicking a link rather than accessing the logout URL directly via the browser's address bar.
Once it happens, there are two GET requests to the user logout page subsequently. And the first one has a SAML request redirection and second one doesn't.
The consequence is that, the user won't be logout appropriately and the SimpleSAMLphp's session still live. If the user try to saml_login again, the user can login without requiring credentials.
Delete the SimpleSAMLphp session cookie while logging out.
Active
4.0
Code
Due to a bug in /tests/src/Functional/SimplesamlphpAuthTest.php line 91
https://git.drupalcode.org/issue/simplesamlphp_auth-3439861/-/blob/4.x/t...
The PHPunit test won't be passed.