I have a couple of questions which I seek help from you:
1) When a user successfully gain access to an SP after a SAML AUTH with AD FS (IDP), does user's every interaction with SP need to check with IDP to ensure user account is still valid? If not, how does SP ensure that user's subsequent interactions are not coming after the user's account is terminated in IDP?
2) If I have to assume SP is keeping some SAML cookie to avoid user's subsequent interaction with SP does not result in a round trip call to IDP, what type of cookie is that? In SAML with AD FS, is the only option for SP to use a cookie?
3) I have a use case, which I don't know what to do with it. Let's say the user is successfully logged in and that user account gets terminated in IDP, what is the best way to remove a SAML session from IDP to block the
user from interacting with SP after user's account is terminated.