...
If this option is enabled, a request will be sent to the SSO provider when the access key of user needs to be refreshed, checking if the user is still logged in. Enabling the Verify refresh tokens on access key refresh option therefore allows the SSO provider to initiate a user to be logged out or having all access rights revoked.
Please note:
Since a network request has to be made to the SSO provider when refreshing an access key, refreshing an access key can take a bit longer.
When a user is logged out via the SSO provider or has access rights revoked, the user has access until the access key is refreshed. The access key refresh interval is configurable: DC 6.1 Service configuration.