This issue often stems from misconfigurations or customizations related to the SAML integration, especially involving the com.liferay.saml.internal.servlet.filter.SpSsoSamlPortalFilter.

Check for Blacklisting:

If the SpSsoSamlPortalFilter is blacklisted (disabled) to prevent redirection to the Identity Provider (IdP) for native logins, it can disrupt the logout process for SAML users. Instead of blacklisting, use one of these approaches:

1. Sign-In Widget: Add a dedicated "Sign-In" widget to the default home page for users who authenticate through the native login. This provides a direct login path without triggering the SAML redirection.
2. Direct Login Link: Provide a direct link to the login portlet, bypassing the SAML filter. The URL structure would be similar to: http://your-liferay-instance/?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_state=maximized. Embed this link in a button, text, or other appropriate element on your login page.

Review Customizations:

Thoroughly review any custom code or configurations related to user authentication, login, or the SAML integration itself. If customizations are present, try temporarily disabling them to isolate the issue. Pay close attention to any modifications to the SpSsoSamlPortalFilter or related classes. If the issue resolves after disabling customizations, carefully examine the custom code for conflicts or incorrect handling of the SAML logout process.

Verify SAML Configuration:

Double-check the SAML configuration to ensure it's correctly set up according to the IdP's specifications. Incorrect settings can lead to incomplete logouts and subsequent errors.