First let's address the whole concept of SAML and SSO - SSO stands for "single-sign-on". That means you only need to sign into one system to be signed into every system. It's the entire premise of using a SSO.
I would encourage you to think about the point of using a SSO and then trying to disable SSO. It's just not quite right ... and you can see why it might be hard to make it do something it was specifically to solve.
Having said that - you can create a condition access policy and specify a session limit. Alas in Azure the minimum session limit is 1 hour, but this would at least meant AnyConnect sessions more than 1 hour apart would always require a full authentication again.
With nicer SAML providers like Cisco Duo - this is simple a "radio button" style option.