SSO Sessions

In SSO, an active user session means the user has successfully logged in once, and the session hasn't expired. The session timeframe is defined when configuring the SSO Service. Session management is crucial for creating within the SSO journey custom login logic based on the session status.

For example, if the session is valid, you can add journey steps that show a redirection message and automatically redirect the user to the required app without requiring credentials. If you have MFA enabled, you can add a journey step that only collects user information, such as a username, to implement a lighter login flow without sacrificing security. If the session has expired, the user will be prompted to re-authenticate.

The SSO model supports multiple SSO sessions per browser, as an SSO session correlates with a Clients-Group. This allows a user to authenticate to clients of different groups, each maintaining its own session context.

Note

The journey step dedicated to detecting user sessions is the Has Valid SSO Session step.

Session Logout

The session timeframe is decided by you when you configure the SSO Service. To log out a user before the indicated timeframe, the browser should send a POST request to the /ido/api/v2/auth/sso-logout endpoint. The server will infer the SSO session(s) from the cookie, delete the associated session(s), and return a response instructing the browser to delete the cookie(s).

By default, the logout endpoint logs out of all existing SSO sessions. It is also possible to log out of a specific Clients-Group by specifying the group’s ID as the value of the clientsGroupId query parameter.