We noticed with version 5.0.14 a new change was introduced in 'GetAppIdFromCookieOrSPToken' to include the SPToken. However this caused an issue if the SPToken was empty and there is no active cookie that the 'GetReactTokens' retrieved the first record of a user where SPToken was empty, i.e. logging out a random user. By including 'and SPToken <> ""' within the filter this issue got solved and is then also our suggestion to improve this component (see screenshot IdP_SPTokenFilter.png).
Additionally we faced an issue where if the user closed there browser and re-opened it, the session cookie was lost which caused an issue when the same user tried to log out afterwards. The login session within Outsystems was not closed and after opening the browser the user was still logged in. As due to the missing session cookie the SAMLRequest failed (external IdP) and the SAMLResponse was not received.
This might be a misconfiguration on our end, however we solved this issue by adjusting the flow in 2 ways.
1. Within the KillServerSession in case GetCurrentUserSessionIndex is empty, which happens when there is no active session cookie, logout the user (see IdP_Logout.png).
2. Within the DoSLOLogout if there is no session cookie then adjust the URL to redirect to the default logout url instead of sending the SAMLReqeust as that request will fail (see IdP_URL.png).