I deal with HIPAA at work, and I use session based to our SSO and it is time based logout, and if an early logout is performed it logs out of everything else that uses the SSO as well (and vice-versa). I just verify with the SSO on-access if the account is still logged in or not.
So… I put the onus on the people that manage the SSO (other contractors). ^.^






















