I have workday set up as a SAML SP and login/logout works. We have a requirement that all users must login whenever they access workday even if they are already logged in to NAM. We also have a timeout in workday that logs the user out in 10 minutes which isn't very nice for the other applications. I would like to have the login and logout of workday be separate from other applications.

All of our applications are using a contract that is level 0. I set up a new contract, using the same method, that is level 5 and set workday to use the new contract. It is still logging me into workday any time I am authenticated to the level 0 contract. I also get logged out of all contracts when I log out of workday. Am I going about this the right way? Any ideas for me?

Workday doesn't import metadata so I set the urls manually. I used https://devsso.vermeer.com/nidp/saml2/spslo as the logout url. Is that correct if I only want to logout of the level 5 workday contract?