Use Overwritten Session view if an active session is implicitly overriden by a different provider
#61217
Labels
enhancement
New value added to drive a business result
Feature:Security/Authentication
Platform Security - Authentication
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
Fixed in #68117 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Previously we used
Overwritten Sessionview only when user with an active session (created by SAML authentication provider) logged in again via SAML IdP initiated login with a different user.With the changes introduced in #53010 we'll have more cases when an active session can be overridden implicitly and potentially confuse the user as the result. In such cases it'd be beneficial to warn them with
Overwritten Sessionview. At the same time we shouldn't show this view if user initiates new login from Login Selector UI.Right now I can think of the following cases where showing
Overwritten Sessionwould be beneficial:If user has an active session (with any provider, except for SAML) and they perform SAML IdP initiated login
If user has an active session (with any provider, except for OpenID Connect) and they perform OpenID Connect IdP initiated login
If user has an active SAML session and they perform SAML IdP initiated login for another realm or user
If user has an active OpenID Connect session and they perform OpenID Connect IdP initiated login for another realm or user
If user has an active cookie with the expired refresh token acquired in exchange to Kerberos TGT and they successfully perform a new SPNEGO for another user (this one is tricky and we may not be able to cover this use case since this is a multi-step process that can also happen for AJAX requests)
The text was updated successfully, but these errors were encountered: