Hi @jharris
Thank you for reaching out to us!
In the scenario that you mentioned, the IdP ( Entra in this case ) is called to authenticate a user, but as it already has a different user with an active session, it will assume that the same user is trying to authenticate and will use the current session to try and grant the access. As you’ve mentioned, this will not work in the case of multiple users if a session is still active and one use remains authenticated on the machine → they will first need to be logged out on the IdP level to allow for another user to create a session.
I recommend looking over our documentation on how to Log Users Out of SAML Identity Providers using Single Logout ( SLO ), but also the following blog post on Best Practices for Application Session Management.
Hope this helped!
Gerald