SingleSignOnAuthenticationMechanism.sessionDestroyed(...) will never find SSO_ID attribute

The sessionDestroyed(...) method in SingleSignOnAuthenticationMechanism looks for the SSO_ID via the session attribute. However, due to the order in which the session listeners are invoked upon session invalidation, the session never has any attributes when it reaches this method. Consequently, sessions for other session associated with the SSO to which the invalidated session is associated are never invalidated.

This seems to be because the SingleSignOnAuthenticationMechanism's listener gets invoked after the SessionListenerBridge removes all the attributes from the session. Either this listener needs to be invoked before the SessionListenerBridge removes the attributes, or a different mechanism is needed to discover the SSO_ID (e.g. look to the request cookie). The former seems preferable.

See the linked forum post for details.