Impossible to logout with a user authorized to log in the standard way

Patch applied and solves the issue.

Colleague of @zealialize and confirmed that the patch applies successfully thereby solving the issue.
I am marking this as Reviewed and tested by the community and request to take it ahead.

I'm not sure what problem this exactly solves, can you explain a bit more?

The only thing this hook does is destroy the simplesamlphp specific session as well, but if you did not log in using simplesamlphp, then you shouldn't have such a session in the first place?

Also, these settings don't mean those users/roles can *only* log in locally, they could still be logged in and then if they did log in using saml then they wouldn't be logged out .

I guess this is the same problem as #2837029: All site forms fail with "The form has become outdated" after allowing "Authenticated user" role to log in with local accounts.

I'm having the same problem, too. Though I'm not connected to an identity provider, yet.

Ah yeah see, the problem was probably related to either still having phpsession as store type OR not being connected to an identity provider. Now it works with store type sql and connected to an idp.

This is still a problem in the latest version of the module. It's primarily an issue if the local development environment does not have simplesaml. A user who logged in via drush for example cannot logout.

Rerolled earlier patch to be compatible with latest dev.

If you don't have simplesaml configured properly you should use a settings.php config override to not have it enabled (or the opposite, only enable it through a config override on production), I'm not fond of adding extra logic to check for that.

I still don't quite get what "can not logout" means. Do you get an exception? We could put a try/catch around isAuthenticated() then to ignore an error in that case.

We typically only have saml enabled in the staging and production config splits. But the latest version of the module added a new configuration variable and didn't maintain the pre-existing behavior when it was added, so I had to do some local debugging of the user login form alter. I can only do that with the module enabled even though I don't locally have saml installed.

I believe the error is related to:

Warning: session_create_id(): Failed to create new ID in SimpleSAML\SessionHandlerPHP->newSessionId() (line 173 of /var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php) which is slightly odd on the logout page.

To the user trying to log out, it's as though the logout link just doesn't do anything.

I can confirm that this is an issue. If the module is installed in an environment where simplesaml is not configured, local users cannot log out. I think this is a pretty common scenario in development, so it could use a fix. Patch #10 works, but I can't say one way or another whether that's the right way to handle it.

I can confirm the same behavior happens when simplesaml is configured, but the IDP has not finalized registration of the endpoint. Logged in as super user whose account has not been enabled to allow SAML login, and clicking "Logout" fails silently. Navigating to /user/logout has no effect whatsoever, no error in logs.

Hello with :
- core 9.4.7
- php 7.4.33
- PostgreSQL 13.9
- SimpleSAMLphp authentication 3.3.0
and patch 10 install with composer, I still can't disconnect user if they connect without SAM, in an preprod environment.
And no error or warning in the log.