My SaaS application offers enterprise customers the option to use SAML to authenticate their user population against their own Identity Provider. This normally works fine, however I am looking for advice on an edge case related to shared devices.
I offer both a manual logout option as well as an inactivity timeout, which terminates the session in my app. However, the IDP SSO session remains active.
It looks like I could use the ForceAuthn SAML parameter to force a new login prompt when signing in to my app, however if I understand the documentation, this only applies to my app. That leaves the risk that any other enterprise app for that user would still detect the active SSO session at their IDP.
Is there an inverse concept which would allow me to authenticate a user via SAML, but instruct the Identity Provider to treat it as a one-time event rather than initiation of an SSO session?
I have also been looking into the Single Logout flow, but have found some articles indicating that may not be always reliable, depending on the Identity Provider on the other end.
Any thoughts or guidance is very much appreciated!
