I'm not sure you need to worry about the webapp Session invalidation.
Each jForum request goes thru the ControllerUtils.refreshSession() method. With SSO, this will call the SSO.isSessionValid(UserSession, request) method. This is where you should verify that the existing jForum UserSession is valid for your SSO conditions or no (e.g., does the SSO cookie say it's a different user?) [originally posted on jforum.net by monroe]