Same question, same answer:
https://github.com/discourse/discourse/commit/09ef5f613ef5fdf74554707de1fdccc935c6b0b9
You can check the code from the above commit, that was reverted, and port it to a plugin to suit your needs.
You can also code a logout integration in your SSO system, so when a user log outs it calls Discourse to terminate all existing sessions of the same user.
And no, this is not considered a security flaw.