Hi Sathya, >From security perspective, this requirement is totally valid. Assume a scenario where we currently have single step authentication but at a point we enforce two factor authentication. At that time, adding the step 2 to the SP won't get affected to the users already have active sessions. It'll affect those users only after their current session terminates.
Now, let's say we patch this to kill existing active sessions of users at the time we modify the authentication scheme of a SP. If the users are not idle at that time, it would cause problems as their sessions are forcefully terminated (data loss, etc.). Also in SSO scenarios, there could be one active user session in IS side for the user but user would be using multiple apps. So considering above, I believe we have to accept the current behavior. However, we can look into a session management feature separately where we can provide a facility for admins something like viewing the active sessions in mgt console or a dashboard and terminating them as per requirements. Thanks, TharinduE On Fri, Jan 19, 2018 at 1:18 PM, Sathya Bandara <[email protected]> wrote: > Hi all, > > When there is an already authenticated session for an application user > with Identity Server, there is no necessity to prompt for another login to > the IS if the user logs into the application from another tab in the same > browser. > However we can change the service providers authentication scheme > (authentication steps and authenticators in each step) while the user has > this session. > In this case, if the user tries to log into the application he is not > prompted for re-authentication. This is the default behavior of IS. > Shouldn't we prompt the user to authenticate if the service provider's > authentication scheme is modified or is this an intended behavior? > > Appreciate your thoughts on this. > > Thanks, > Sathya > -- > Sathya Bandara > Software Engineer > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- Tharindu Edirisinghe Senior Software Engineer | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
