After integrating CA xFlow with SAML, the integration works correctly, the authentication page loads on login, but when the user logs out, when loading the page again it loads the CA xFlow page and not the SSO authentication page.

The following log (incidentMS.log in debug) reads:

[c.c.c.a.s.AuthenticationServiceSessionCache] - Unable to find authentication token: 
13:59:23 [c.c.c.a.AuthenticationInterceptor] - authToken not found or null, unauthorized

When trying to log in again, it is seen that there is no token. The SSO session is destroyed correctly, but CA xFlow does not request the page again.

For environments where there is an Azure reverse proxy involved, the Azure Application Gateway, the behaviour is such that when attempting to logout, the expected behaviour is that the user will be sent back into xFlow.  Instead, a login-requestor appears, no way to log back into xFlow without clearing the browser cache and restarting the browser.

Service Desk 17.4 GA to RU3

A patch was provided to resolve the problem by leaving the SAML session active and allowing re-entry into xFlow.

The Service Management suite was designed in such a way that if you logout, and the SAML session is still active, you can restart xFlow or SDM or Catalog and resume the same SAML session.  

The above has been addressed as part of the 17.4 RU4 update.