Add option to perform a SAML logout when using Drupal logout '/user/logout'

Yes, that sounds like a fine addition (though I'd like it to stay off by default), and probably clear enough where the configuration UI option should go.

I assume you'll just be calling SamlController::logout() (which first logs out from Drupal and then redirects to the IdP, to log out from there + possibly do a logout-redirect-sequence through all logged-in sites/SPs).

Detail note for completeness:

From official SAML docs, I understand the 'official' specification for SP initiated logout is to first logout from the IDP + all other SPs, and then logout from our SP (Drupal) once we are redirected back.. (Drawing in #3043704-9: Make user logout more robust.) I've found this to be a risk of never logging out from Drupal at all, because we have no control over what errors can occur during the logout-redirect-sequence). So the Drupal logout happens first.

As far as I can tell quickly, simplesamlphp_auth also does Drupal logout first, in simplesamlphp_auth_logout() -- though it doesn't seem to do it 'properly' there. So hook_user_logout() implementations which maybe aren't currently executed by simplesamlphp_auth, will start being executed by the samlauth module.

@kfolsom, @roderik I submitted a merge request with what I think will workout. It looks like it's not recommended to use the samlController::logout() inside the hook_user_logout(). So I added a route subcriber to update the user.logout path to the saml/logout. There is a checkbox option on the login/user page. So it should be off by default, but allows someone to use /saml/logout inplace of user/logout.

Great. Route subscriber feels like the best option.

This change is of the type: code is stable / does not add any real complexity to existing code, so if it works for you, I'll merge it.

(I looked at the route subscriber, looks good to me. I'll check the rest in detail later. I'm absent, but I hope to do some proper reviews and merging, maybe do some other issues too before I release a new version... next week.)

@roderik that is great, thank you for your attention and guidance. Let me know if any concerns come up and I can rework any code.

Postponing on #3555406: User logout csrf because there may be an extra route to alter (and this feels like the right 'order of dependencies' in terms of keeping functionality separate).

I'm hoping for some activity there that I just need to review, but if not, I'll reassess next weekend.

OK, so I'll assume you're using the -dev version (and can work with just that one updated, for the next ~week).

Doing the dependency #3555406 (resulting in a 'cleaner' split) did not work out, due to lameness + an unexpected snag that still needs to be solved there. But it doesn't matter anymore.

I'll also add PHPUnit tests for the new functionality, in there.

I pushed some PHPCS issues + some dependency injection. (I hope to do more proper communication / set back to Needs Work when I'm more available / next time...) Plus some tweaking of UI labels. Nothing major.