By Sandeep Goyal - 11/8/2020
Hello Everyone,
I have done the login using SSO and I am successfully able to Single logout from Application as well as IDP.
But I want to auto logout from application if the same user is able to login in another browser. Which method/class I can use to validate if the Assertion ID or Session Is is still valid for that user.
Please let me know for more info.
Thanks
|
By ComponentSpace - 11/8/2020
Thanks for the additional information.
The ISSOSessionStore Session ID keeps track of the SAML session state in support of the SAML protocol. This includes support for SAML logout. There isn't really a notion of the SAML session ID being valid or not. By default we store SAML session state in memory with a sliding expiry that defaults to 30 minutes. If the SAML session state isn't accessed after 30 minutes it's automatically discarded. However, I'm not sure how you could use this to implement auto logout so a user is logged in via one browser only.
I don't think what you're trying to implement can be done using the SAML protocol or the SAML session state we maintain. It sounds more like the IdP has to somehow tell the SPs that the user should be logged out of the old authentication sessions. This communication would be at the application level.
|
|