Same question, same answer:
You can check the code from the above commit, that was reverted, and port it to a plugin to suit your needs.
You can also code a logout integration in your SSO system, so when a user log outs it calls Discourse to terminate all existing sessions of the same user.
And no, this is not considered a security flaw.