FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Does FusionAuth track multiple SSO sessions for LDAP users?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    5
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yb98
      last edited by

      Hi,

      I came up with a quick test where I logged in as the same LDAP user into two different browser sessions. The first login into browser "A", produced a refresh token "A" for the user, and I was able to confirm that there now existed a session for the user when examining their sessions through the FusionAuth UI. When calling the API, I also confirmed that one refresh token was present.

      However, when I logged into a second browser "B" with the same LDAP user, the refresh token "A" was replaced with refresh token "B", which corresponds to the new SSO session. This made it so that the SSO session in browser "A" was no longer tracked by FusionAuth, calling the API revealed only refresh token "B" was present. When examining the list of user sessions in the UI, only the second session was present.

      Is this intentional? This would mean that only the most recent sessions for LDAP users are available inside of FusionAuth for modification or deletion. The LDAP reconcile I am using is also not setting any values related to the refresh token. Thanks!

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @yb98
        last edited by

        @yb98 Hmmm.

        Hmm. Do you see this for non LDAP users?

        Do you see SSO behavior weirdness with the first browser after the SSO session is replaced by the second browser?

        I'd expect SSO behavior to be unchanged (that is, in the first browser you could switch between applications without logging in, even after you've opened up the second browser). If it isn't, that's a problem.

        If it is, then perhaps what you discovered is just an implementation detail.

        Thanks!

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        Y 1 Reply Last reply Reply Quote 0
        • Y
          yb98 @dan
          last edited by

          @dan

          Thanks for the reply.
          No, this is only occurring for LDAP users. The issue is with the first browser, if I attempt to access a new OAuth linked application, because the refresh token is not valid anymore and accessing this new endpoint will cause authentication with the existing token, I will be incorrectly prompted to log in. If I am just switching between tabs, then there is no weird behaviour as it does not attempt to authenticate me.

          So because I have made a new SSO session in the second browser, the existing SSO session in the first browser is no longer valid.

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @yb98
            last edited by

            @yb98

            Ah, can you please file an issue, then? https://github.com/fusionauth/fusionauth-issues/issues

            I suspect it is an issue with the LDAP connector, but this seems like it is an issue, either with the code or the docs:

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            Y 1 Reply Last reply Reply Quote 1
            • Y
              yb98 @dan
              last edited by

              @dan

              Thanks!
              I made the new issue https://github.com/FusionAuth/fusionauth-issues/issues/1907

              1 Reply Last reply Reply Quote 0
              • First post
                Last post