User one starts a browser and connects to the Forum using SSO, works for a while and then closes browser.
User two starts a browser on the same machine and logs into the Forum again using SSO. The process takes him through the full login with his credentials but when he enters the forum he is logged in as User one.
Discourse will allow the session timeout to be set to a minimum of one hour. This means that the user can return to the PC within one hour and simply log in and gain the identity of the previous user from cookies.
There was a fix back in 2016 to allow the cookies to die when the browser was closed but this was reverted.
This makes the software very insecure in an environment where multiple people use the same workstation if the browser has not been configured to work in private mode.
You can check the code from the above commit, that was reverted, and port it to a plugin to suit your needs.
You can also code a logout integration in your SSO system, so when a user log outs it calls Discourse to terminate all existing sessions of the same user.