ComponentSpace

Forums



Auto Logout from Application on Duplicate Login in Another Browser


Auto Logout from Application on Duplicate Login in Another Browser

Author
Message
Sandeep Goyal
Sandeep Goyal
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 9
Hello Everyone,

I have done the login using SSO and I am successfully able to Single logout from Application as well as IDP.

But I want to auto logout from application if the same user is able to login in another browser. Which method/class I can use to validate if the Assertion ID or Session Is is still valid for that user.

Please let me know for more info.

Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Auto-logging out a user in another browser is something you would have to handle at the application level. It's not supported by the SAML protocol or our SAML API. Having access to the assertion ID etc won't help.

At the time of SSO you automatically login the user at the SP application. Normally this means the application or ASP.NET creates an authentication cookie. You can use this cookie to determine whether the user is logged in or not. If a user logs in again, either directly or via SSO, your application would have to detect this and clear any other authentication cookies associated with this user.




Regards
ComponentSpace Development
Sandeep Goyal
Sandeep Goyal
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 9
ComponentSpace - 11/8/2020
Auto-logging out a user in another browser is something you would have to handle at the application level. It's not supported by the SAML protocol or our SAML API. Having access to the assertion ID etc won't help.

At the time of SSO you automatically login the user at the SP application. Normally this means the application or ASP.NET creates an authentication cookie. You can use this cookie to determine whether the user is logged in or not. If a user logs in again, either directly or via SSO, your application would have to detect this and clear any other authentication cookies associated with this user.



The Cookies are browser Specific. Can we have any method or API where I can validate if the Component Space Session ID or Assertion ID is still valid or not?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I'm not sure what you mean by the validity of the session ID or assertion ID. The SAML assertion has a limited validity period (usually a few minutes). It's used once and then discarded. Your local authentication session (ie the auto login that you application performs using information from the SAML assertion) usually is much longer. It's not clear to me how you would use the assertion ID to "auto logout from application if the same user is able to login in another browser".

Could you provide more details regarding your requirements?

How did you hope to implement these requirements?

How did you want to use the assertion ID?

What do you mean by checking if the assertion ID is valid for the user?

What do you mean by the session ID?  

Regards
ComponentSpace Development
Sandeep Goyal
Sandeep Goyal
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 9
ComponentSpace - 11/9/2020
I'm not sure what you mean by the validity of the session ID or assertion ID. The SAML assertion has a limited validity period (usually a few minutes). It's used once and then discarded. Your local authentication session (ie the auto login that you application performs using information from the SAML assertion) usually is much longer. It's not clear to me how you would use the assertion ID to "auto logout from application if the same user is able to login in another browser".

Could you provide more details regarding your requirements?

How did you hope to implement these requirements?

How did you want to use the assertion ID?

What do you mean by checking if the assertion ID is valid for the user?

What do you mean by the session ID?  

Thanks for Explaining about Assertion ID in Details.

We have set the "Max Logins Per User" as 1. It means that one session can be created for a user and if user tried to login on another browser then that Old session will be terminated by IDP.

So forgot about that Assertion ID. Can I check if the Session id associated in ISSOSessionStore is still valid or not?

As I am using Distributed session management with the help of  ISSOSessionStore.

Please let me know for more info. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the additional information.

The ISSOSessionStore Session ID keeps track of the SAML session state in support of the SAML protocol. This includes support for SAML logout. There isn't really a notion of the SAML session ID being valid or not. By default we store SAML session state in memory with a sliding expiry that defaults to 30 minutes. If the SAML session state isn't accessed after 30 minutes it's automatically discarded. However, I'm not sure how you could use this to implement auto logout so a user is logged in via one browser only.

I don't think what you're trying to implement can be done using the SAML protocol or the SAML session state we maintain. It sounds more like the IdP has to somehow tell the SPs that the user should be logged out of the old authentication sessions. This communication would be at the application level.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search