By default, there is a job that helps to clean the user’s session every 24 hours based on the documentation here:
User sessions are cleared when a user tries to log in. Additionally, a job runs every 24 hours to clear sessions from the sessions database table.
Since you mentioned that the disabled user was still able to log in, I would suspect that the synchronization has not kicked in yet as the default setting is configured to 60 minutes. So, you might want to consider adjusting that if needed.
Additionally, the default session length for SSO is set to 30 days based on the configuration in
ahmaddanial@mattermost:~$ cat /opt/mattermost/config/config.json | grep "SessionLengthSSOInDays"
You can also reduce this number if needed to shorten the lifespan of the SSO sessions. Can you please give it a try and let me know how it goes on your end?