Single sign off handling by network device in federated identity deployment

We claim: 1. A method comprising: at a network device having network connectivity to an endpoint device, monitoring a session between a software as a service (SaaS) provider and the endpoint device by monitoring communications to and from the endpoint device; identifying, at the network device, a network event trigger associated with the session based on the monitoring, wherein the network event trigger indicates a change in a connection state between the endpoint device and the network device; in response to the identifying of the network event trigger, initiating a timer that measures a predetermined time period for the endpoint device to rejoin the session; generating a signoff message at an expiration of the predetermined time period measured by the timer; and transmitting the signoff message to the SaaS provider to cause the SaaS provider to purge the session when the timer reaches the predetermined time period. 2. The method of claim 1 , wherein additional SaaS providers are participating in additional sessions with the endpoint device and transmitting further comprises: transmitting the signoff message to the additional SaaS providers to cause the additional SaaS providers to purge the additional sessions. 3. The method of claim 2 , further comprising: extracting an identifier of the endpoint device from the network event trigger; querying a session database maintained by the network device with the identifier to identify the additional sessions with the additional SaaS providers; and performing a redundancy check based on the identifier to ensure that the transmitting of the signoff message transmits one copy of the signoff message to each of the additional SaaS providers. 4. The method of claim 1 , wherein the network event trigger is a connectivity shutdown detected by the network device, and the network device is a layer 2 device. 5. The method of claim 1 , wherein the network event trigger is an internet protocol (IP) lease expiry, and the network device is a layer 3 device. 6. The method of claim 1 , wherein the network event trigger is a logout message, and the network device is an authentication, authorization and accounting (AAA) server. 7. The method of claim 1 , wherein transmitting comprises: publishing the signoff message in a publish and subscribe system, wherein a plurality of SaaS providers are configured to receive the signoff message from the publish and subscribe system. 8. The method of claim 7 , wherein the plurality of SaaS providers are configured to purge tokens for the endpoint device in response to the signoff message. 9. The method of claim 1 , wherein the SaaS provider is configured to filter traffic associated with the endpoint device based on a user policy. 10. An apparatus comprising: a memory configured to store at least one session entry, wherein the at least one session entry describes communications to and from an endpoint device during a session between a software as a service (SaaS) provider and the endpoint device; a controller configured to: identify a network event trigger associated with the session, wherein the network event trigger indicates a change in a connection state of the endpoint device; in response to the identifying of the network event trigger, initiate a timer that measures a predetermined time period for the endpoint device to rejoin the session; and generate a signoff message at an expiration of the predetermined time period measured by the timer; and a communication interface configured to: transmit the signoff message to the SaaS provider to cause the SaaS provider to purge the session when the timer reaches the predetermined time period. 11. The apparatus of claim 10 , wherein additional SaaS providers are participating in additional sessions with the endpoint device and, in transmitting, the communication interface is further configured to: transmit the signoff message to the additional SaaS providers to cause the additional SaaS providers to purge the additional sessions. 12. The apparatus of claim 11 , wherein the controller is further configured to: extract an identifier of the endpoint device from the network event trigger; query a session database maintained in the memory with the identifier to identify the additional sessions with the additional SaaS providers; and perform a redundancy check based on the identifier to ensure that the transmitting of the signoff message transmits one copy of the signoff message to each of the additional SaaS providers. 13. The apparatus of claim 10 , wherein the network event trigger is a connectivity shutdown detected by the network device, and the network device is a layer 2 device. 14. The apparatus of claim 10 , wherein the network event trigger is an internet protocol (IP) lease expiry, and the network device is a layer 3 device. 15. The apparatus of claim 10 , wherein the network event trigger is a system logout message, and the network device is an authentication, authorization and accounting (AAA) server. 16. The apparatus of claim 10 , wherein the network event trigger is a change in a user account or a user policy associated with the endpoint device. 17. The apparatus of claim 10 , wherein in transmitting, the communication interface is further configured to: publish the signoff message in a publish and subscribe system, and a plurality of SaaS providers are configured to receive the signoff message from the publish and subscribe system. 18. A non-transitory computer readable medium including instructions that when executed are configured to cause a processor to: monitor a session between a software as a service (SaaS) provider and an endpoint device by monitoring communications to and from the endpoint device; detect a network event trigger associated with the endpoint device based on the monitoring, wherein the network event trigger indicates a change in a connection state of the endpoint device; in response to the identifying of the network event trigger, initiate a timer that measures a predetermined time period for the endpoint device to rejoin the session; generate a signoff message; and send the signoff message to the SaaS provider to cause the SaaS provider to purge the session when the timer reaches the predetermined time period. 19. The non-transitory computer readable medium of claim 18 , wherein the network event trigger indicates that the endpoint has disconnected from a network. 20. The non-transitory computer readable medium of claim 18 , wherein the SaaS provider purges a token associated with the session in response to the signoff message.