What is the expected behavior of admin-initiated "Logout" function on on-prem firewall or Panorama managed Prisma Access GlobalProtect users?

What is the expected behavior of an admin-initiated "Logout" function on on-prem firewall or Panorama managed Prisma Access GlobalProtect users, and how this impacts the authentication override and SAML cookies?

• Panorama managed Prisma Access
• On-prem Palo Alto firewalls
• Supported PAN-OS versions
• GlobalProtect App

1. The Logout function initiated by an administrator in on on-prem firewall or Panorama managed Prisma Access; primarily disconnects the GlobalProtect tunnel.
2. Upon terminating the tunnel, authentication override cookies or SAML browser cookies are not cleared.
3. If Single Sign-On (SSO) or Saved User Credentials are enabled or if SAML browser cookie(s) is present (in case of SAML authentication), the following behavior is exhibited:
   1. For Always-On users, GlobalProtect (GP) will attempt to reconnect after few seconds and perform a tunnel restoration. No username or password is prompted during this process. However, the tunnel restoration is bound to fail, leading GP to initiate network discovery.
   2. For On-Demand users, GP will only reconnect (from portal login) when the user manually hits the connect button.
4. If above authentication settings are not enabled or SAML browser cookie(s) are not present on the browser, GP user will be asked to manually enter credentials.
5. In conclusion, the admin-initiated logout disconnects the tunnel but maintains the functionality of authentication cookies, thus only affecting the reconnection process depending on whether the user setup is using always-on or on-demand connect method.