In addition to checking the user name it would be nice to also check the user roles (see PR #25) if possible. A change in roles should issue a logout of the current session.

This is currently not easily possible in the current implementation, because authenticators cannot interact with each other (and in fact do not even know each other).

The default is to check existing sessions first, and as long as a user request has a valid session that will be used to allow the request to proceed.
The SSO plugin is essentially just checking the trusted HTTP header and creates a session for the user it is told to trust, afterwards it is not checked again.

A possible workaround is to use shorter session times, which would cause the SSO HTTP header to be checked more often.

While I agree that the current behavior is surprising and less than ideal, I cannot offer you an easy fix for it, save redesigning the entire authentication mechanism.
At the very least this would require a server change, because it needs changing the authentication strategy, and this would also change semantics as that would cause e.g. one LDAP request for each request against Graylog's APIs, something that I'm sure many people would not want either.

@kroepke - Thanks for looking in to this. I suggest the following mechanism that might be easier to implement:

Whenever the information in the header don't match the information stored in the session, trigger a logout. I assume that comparing the information in the header with the information in the session doesn't require an LDAP request.

The next request will then trigger a an authentication with the new user information.

I've given it a try on checking the SSO headers on subsequent requests. There is now PR #40 that should close this issue. Feedback is welcome, please comment in the PR.