We're testing out SAML logins for ArcGIS Online for the first time. We're using Microsoft's Azure Active Directory. So far, we've been able to get it working, but are running into an issue on mobile devices.
On desktop workstations, when a user closes their web browser, by default it logs them out of their ArcGIS Online and Microsoft accounts. On mobile, however, closing the web browser only logs the user out of ArcGIS Online, not Microsoft. So, if anyone else tries to log into ArcGIS Online via SAML, it'll automatically log them into the previous user's Microsoft account (and thus their linked ArcGIS Online account) with no prompt whatsoever. This happens on iOS (Safari) and Android (Chrome) and even if the first user declines the "Stay signed in" option.
The only way for a user to "fully log out" on mobile is to go to Microsoft's Office 365 website and manually click "Sign out", or to shut down and restart the mobile device. This presents a security risk if someone forgets to do this, and could create confusion as some of our mobile devices are shared between multiple users. It's also affecting a third-party app we use that connects to ArcGIS Online for single sign-on.
Have other people run into this issue? If so, how have you dealt with it? I'm hoping there's a straightforward way we can have the user be completely logged out when closing the mobile browser or logging out of the third-party app, rather than forcing them to take extra steps to do so.
