UNDERTOW-269 SSO not destroyed when the last associated session times…

… out

core/src/main/java/io/undertow/security/impl/SingleSignOnAuthenticationMechanism.java

@@ -169,7 +169,11 @@ public void sessionDestroyed(Session session, HttpServerExchange exchange, Sessi
                         if (reason == SessionDestroyedReason.INVALIDATED) {
                             for (Session associatedSession : sso) {
                                 associatedSession.invalidate(null);
+                                sso.remove(associatedSession);
                             }
+                        }
+                        // If there are no more associated sessions, remove the SSO altogether
+                        if (!sso.iterator().hasNext()) {
                             manager.removeSingleSignOn(ssoId);
                         }
                     } finally {