An SSO is deleted when any associated session is invalidated. If an associated session times out, the SSO is not destroyed. This is correct. However, when the last associated session times out, the SSO should be removed. Currently, the SSO will remain active, even after the last associated session times out.