You would like the user to sign-out without no firewall / VPN in between. SAML, like many other authentication systems, works off of tokens/tickets. Once the user is authenticated, then the IdP (identity provider) provides a ticket (with assertions inside) for the user's browser to submit to other applications that are integrated with this IdP. These applications will honor the ticket because the ticket is already signed by the IdP and since the signature checks out by a stored public key (public/private key scheme), the app allows the user access without making a further request back to IdP. So, as you can see the IdP is not involved anymore after the first authentication and thus it cannot enforce the IP changes anymore.
The closest solution with using only SAML is:
Keeping the lifetime of tickets short: The user does not need the ticket again until the next login or login to another app. So, this can be a valid option depending on how often your users authenticate to another app.
Using OneTimeUse tickets: This essentially requires a trip to IdP for every new app authentication.
But, for both of these to work, your IdP session timeout should be set to a short-time-interval to cover the time necessary for your users to travel and have a different IP. This is because, if your IdP session has not expired, even though the app makes a request to IdP, the IdP does not authenticate the user again b/c the user already has an active session with the IdP (and so it issues a new ticket without requiring user to login again).
Then of course, you must set IP/time limitations in your IdP.
With these, you could be able to handle IP changes of an user and require a re-authentication in IdP (thus IP/time filtering applied again). This is of course a limited work-around.
Check this out for more security suggestions from OWASP regarding SAML
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html