fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

LDAP Connector restricts users to one SSO session

Open yuezhou1998 opened this issue 3 years ago • 1 comments

Description Users who sign in through an LDAP connector are restricted to having only one SSO session and refresh token active at a time. The original issue is from: https://fusionauth.io/community/forum/topic/2176/does-fusionauth-track-multiple-sso-sessions-for-ldap-users

Affects versions 1.28

Steps to reproduce

  1. Sign into a new browser session with an LDAP user
  2. Verify using the API that there exists a single refresh token for the LDAP user
  3. Verify using the FusionAuth Admin UI that there exists a single session for the LDAP user, under Users > the LDAP user from step 1) > Manage > Sessions.
  4. Everything up to this point is correct. There is only one session recorded inside of FusionAuth and one refresh token in the API.
  5. Sign into a different browser with the LDAP user from step 1)
  6. Verify using the API that there exists a single refresh token for the LDAP user, this is now incorrect as there should be two refresh tokens, one from step 1), another from step 5).
  7. Verify using the FusionAuth Admin UI that there exists a single session for the LDAP user, under Users > the LDAP user from step 1) > Manage > Sessions. This is also incorrect as there should be two sessions for the user, one from step 1), another from step 5)
  8. Verify that the SSO session from the browser on step 1) is now using a fusionauth.sso cookie that no longer correlates to an active refresh token. If the user attempts to access another application's endpoint on this browser, they will be prompted to sign in. Note that this application must not have been accessed yet until this point, since we are trying to trigger another OAuth flow.

Expected behavior LDAP users should be able to maintain more than one SSO session. The session from step 1) above should still be valid.

Platform Device: Desktop OS: Linux Browser + version: Chrome Version 85.0.4183.102 (Official Build) (64-bit) Database: PostgresSQL 14, using spilo-14:2.1-p3

Additional Context The LDAP Reconcile we are using is not setting any values related to the user's sessions.

Please let me know if there's anything else I could attach or clarify on, thanks

yuezhou1998 avatar Oct 03 '22 22:10 yuezhou1998

related https://fusionauth.io/community/forum/topic/2176/does-fusionauth-track-multiple-sso-sessions-for-ldap-users/5

jobannon avatar Oct 03 '22 22:10 jobannon

This also apparently applies to generic connectors, as I saw the same behavior today in a test.

mooreds avatar Nov 14 '22 17:11 mooreds

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/150

robotdan avatar Nov 15 '22 19:11 robotdan