azure active directory – Why does AWS Cognito still tefresh tokens after revoking all sessions in an external SAML SSO provider?

I have set up AWS Cognito with an external SAML Single Sign-On (SSO) provider (in my case, Okta and Azure AD, this is the setup I followed for Okta), and I have encountered a scenario that has left me puzzled.

It appears that even when I manually revoke all of a user’s sessions in Okta, AWS Cognito still continues to refresh the user’s access/ID tokens. This behavior persists even after the user has been disabled in Okta. The user is able to refresh their tokens until the refresh token itself expires.

My expectation was that after revoking all sessions and/or disabling a user in Okta, that user should immediately lose all access, and their next token refresh would fail.

Could anyone explain why this might be happening, and if it’s possible to force immediate session termination in AWS Cognito when a user is disabled in the SSO provider?

Is there something I’m missing in the setup that would help AWS Cognito recognize when a session has been revoked or a user has been disabled in the SSO provider?

Any guidance or help would be greatly appreciated. Thank you in advance!

Note: If there are additional steps required in the SSO provider (either Okta or Azure AD), I’m open to recommendations as well.