Add validation of credentials passed by SSO session to track if credentials were changed

Idea ID 2773425

Add validation of credentials passed by SSO session to track if credentials were changed

0 Votes

Scenario:


Customer is using 3rd party proxy server, operator is authorizing on this server manually entering login and password. After that when operator accessing SM webtier, its credentials are passed to SM web client bypassing login page (SSO login to SM). After successful SSO login, SM creates new session for this user, lets call it user1.

Then operator logs out from 3rd party proxy server and re-login entering different credentials user2. After that he opens again SM webpage (he didn't close browser with previous SM session, log out from SM or open new session for new connection). Operator expects SM will open new session for user2 but instead continues to work in session for user1 as it wasn't closed and there was no relogin for user2.

Considering SSO will always pass operators name in its header but SM validates it only at login, customer claims for a mechanism to validate login passed by SSO after login and if it was changed (not null) as per scenario above logout user1 and start new session for user2.

One of possible workarounds is to use JSESSIONID=0  for every session from 3rd party proxy server, but even if workaround will be successfully implemented, it will open new session for user2, but the session for user1 will remain active until it would be cleared by session-timeout as there is no mechanism to force closing previous session when credentials were changed.

2 Comments
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Waiting for Votes
 
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Declined

@Yuri Buinichenko this will be tracked as a defect.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.