simplesamlphp_auth_user_logout() must use \Drupal::currentUser()->setAccount() — fatal when hook receives User entity [#3590975]

Problem/Motivation

On Drupal 11.3.7 with SimpleSAMLphp Authentication 4.1.0, logging out while SAML logout handling runs can trigger a fatal error in simplesamlphp_auth_user_logout() (line 68):

Error: Call to undefined method Drupal\user\Entity\User::setAccount()
in simplesamlphp_auth_user_logout()

The module calls $account->setAccount(new AnonymousUserSession()), but setAccount() exists only on Drupal\Core\Session\AccountProxy (\Drupal::currentUser()), not on Drupal\user\Entity\User.

Drupal core resets the account on the proxy after hooks, not on the hook argument:

$user = \Drupal::currentUser();
\Drupal::moduleHandler()->invokeAll('user_logout', [$user]);
\Drupal::service('session_manager')->destroy();
$user->setAccount(new AnonymousUserSession());

Some callers invoke hook_user_logout with a loaded User entity (for example, Masquerade passes the previous user when switching users). When isActivated() and isAuthenticated() are true, simplesamlphp_auth fatals.

Observed on Acquia Dev. Related: comment on #3529092; MR !43 does not fix setAccount().

Affected versions: Drupal core 11.3.7; simplesamlphp_auth 4.1.0.

Steps to reproduce

Drupal 11.3.7, simplesamlphp_auth 4.1.0, SimpleSAMLphp auth enabled. Log in via SAML.
Log out via /user/logout.
Check recent log or PHP error log.

Masquerade variant: enable Masquerade, log in via SAML, masquerade as another user, stop masquerading or log out — same fatal on line 68.

Expected: Clean logout and SAML redirect as configured.

Actual: Call to undefined method Drupal\user\Entity\User::setAccount().

Proposed resolution

In simplesamlphp_auth_user_logout(), replace:

$account->setAccount(new AnonymousUserSession());

with:

\Drupal::currentUser()->setAccount(new AnonymousUserSession());

Optionally revisit early $session->destroy() in this hook per #3529092.

Remaining tasks

Apply \Drupal::currentUser()->setAccount() fix.
Test SAML logout on Drupal 11.3.x.
Test Masquerade with SAML-linked users.
Add automated tests if feasible.

User interface changes

None.

API changes

None.

Data model changes

None.

Issue fork simplesamlphp_auth-3590975

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3590975-simplesamlphpauthuserlogout-must-use compare
Check out this branch for the first time

Check out existing branch, if you already have it locally
issue-3590975-setaccount-current-user changes, plain diff MR !51
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

19 May 2026 at 21:52

brooke_heaton created an issue.

Comment #2

19 May 2026 at 22:09

brooke_heaton opened merge request !51

simplesamlphp_auth_user_logout() must use \Drupal::currentUser()->setAccount() — fatal when hook receives User entity

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork simplesamlphp_auth-3590975

Comments

Comment #1

Comment #2

Related issues

News items

Our community

Documentation

Drupal code base

Governance of community