Does FusionAuth track multiple SSO sessions for LDAP users?
-
Hi,
I came up with a quick test where I logged in as the same LDAP user into two different browser sessions. The first login into browser "A", produced a refresh token "A" for the user, and I was able to confirm that there now existed a session for the user when examining their sessions through the FusionAuth UI. When calling the API, I also confirmed that one refresh token was present.
However, when I logged into a second browser "B" with the same LDAP user, the refresh token "A" was replaced with refresh token "B", which corresponds to the new SSO session. This made it so that the SSO session in browser "A" was no longer tracked by FusionAuth, calling the API revealed only refresh token "B" was present. When examining the list of user sessions in the UI, only the second session was present.
Is this intentional? This would mean that only the most recent sessions for LDAP users are available inside of FusionAuth for modification or deletion. The LDAP reconcile I am using is also not setting any values related to the refresh token. Thanks!
-
@yb98 Hmmm.
Hmm. Do you see this for non LDAP users?
Do you see SSO behavior weirdness with the first browser after the SSO session is replaced by the second browser?
I'd expect SSO behavior to be unchanged (that is, in the first browser you could switch between applications without logging in, even after you've opened up the second browser). If it isn't, that's a problem.
If it is, then perhaps what you discovered is just an implementation detail.
Thanks!
-
Thanks for the reply.
No, this is only occurring for LDAP users. The issue is with the first browser, if I attempt to access a new OAuth linked application, because the refresh token is not valid anymore and accessing this new endpoint will cause authentication with the existing token, I will be incorrectly prompted to log in. If I am just switching between tabs, then there is no weird behaviour as it does not attempt to authenticate me.So because I have made a new SSO session in the second browser, the existing SSO session in the first browser is no longer valid.
-
Ah, can you please file an issue, then? https://github.com/fusionauth/fusionauth-issues/issues
I suspect it is an issue with the LDAP connector, but this seems like it is an issue, either with the code or the docs:
-
Thanks!
I made the new issue https://github.com/FusionAuth/fusionauth-issues/issues/1907