Forums, Documentation & Knowledge Base - ComponentSpace

Auto Logout from Application on Duplicate Login in Another Browser


https://componentspace.com/forums/Topic11247.aspx

By Sandeep Goyal - 11/8/2020

Hello Everyone,

I have done the login using SSO and I am successfully able to Single logout from Application as well as IDP.

But I want to auto logout from application if the same user is able to login in another browser. Which method/class I can use to validate if the Assertion ID or Session Is is still valid for that user.

Please let me know for more info.

Thanks
By ComponentSpace - 11/8/2020

Thanks for the additional information.

The ISSOSessionStore Session ID keeps track of the SAML session state in support of the SAML protocol. This includes support for SAML logout. There isn't really a notion of the SAML session ID being valid or not. By default we store SAML session state in memory with a sliding expiry that defaults to 30 minutes. If the SAML session state isn't accessed after 30 minutes it's automatically discarded. However, I'm not sure how you could use this to implement auto logout so a user is logged in via one browser only.

I don't think what you're trying to implement can be done using the SAML protocol or the SAML session state we maintain. It sounds more like the IdP has to somehow tell the SPs that the user should be logged out of the old authentication sessions. This communication would be at the application level.