https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226795#M43593 <P>As far as I know, this is by design.</P> <P>Please correct me, if I'm wrong.</P> <P>When you use Identity Awareness Browser-Based Authentictation with transparent SSO (autoauth), there is no browser tab with captive portal site which will or can stay open for the full user user session, so you cannot use the portal setting "Log out users when they close the portal browser", right?</P> <P>And without that, the pdp just gets no notification, that user1 logs out of the machine and user2 logs in. PDP still uses that session entry entry for the ip address and does not reinitate authentication flow over captive portal.</P> <P>If you need to resolve that, you would have to use Identity Agents or Identity Collector. With using Identity Collector, you get an update in pdp side during login of user2. This will logout user1 IA session because of an implicit "assume one user per ip address setting".</P> <P>When you are concerned that someone malicous could re-use user1s ip address in your network before your configured IA session timer expires, you have to use Identity Agents (with a short agent session timeout), because in doing that, user1 session gets logged out when user1 logs out from the machine (while connected to network) or after the agent session timeout which can be much shorter that the session timeout for Captive Portal or Identity Collector due to Agent keepalive.</P> Mon, 16 Sep 2024 13:40:58 GMT Tobias_Moritz 2024-09-16T13:40:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226757#M43577 <P>Hello!</P><P>I was configure transparent SSO (browser based authentication) and it work.</P><P>I login in my test VM and open browser, try to open blocked URL I get notification with my username (Testuser1).</P><P>I logout and login as Testuser2 and do it again and get notification but user is Testuser1.</P><P>If i execute pdp control revoke_ip &lt;my vm ip&gt; it work as expected.</P><P>What Ican I resilve this issue?</P><P>Thank You!</P> Mon, 16 Sep 2024 11:47:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226757#M43577 OlegPowerC 2024-09-16T11:47:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226795#M43593 <P>As far as I know, this is by design.</P> <P>Please correct me, if I'm wrong.</P> <P>When you use Identity Awareness Browser-Based Authentictation with transparent SSO (autoauth), there is no browser tab with captive portal site which will or can stay open for the full user user session, so you cannot use the portal setting "Log out users when they close the portal browser", right?</P> <P>And without that, the pdp just gets no notification, that user1 logs out of the machine and user2 logs in. PDP still uses that session entry entry for the ip address and does not reinitate authentication flow over captive portal.</P> <P>If you need to resolve that, you would have to use Identity Agents or Identity Collector. With using Identity Collector, you get an update in pdp side during login of user2. This will logout user1 IA session because of an implicit "assume one user per ip address setting".</P> <P>When you are concerned that someone malicous could re-use user1s ip address in your network before your configured IA session timer expires, you have to use Identity Agents (with a short agent session timeout), because in doing that, user1 session gets logged out when user1 logs out from the machine (while connected to network) or after the agent session timeout which can be much shorter that the session timeout for Captive Portal or Identity Collector due to Agent keepalive.</P> Mon, 16 Sep 2024 13:40:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226795#M43593 Tobias_Moritz 2024-09-16T13:40:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226805#M43594 <P>Thank You.</P><P>I will use AD Query and agent instead captive portal.</P><P>&nbsp;</P> Mon, 16 Sep 2024 14:29:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226805#M43594 OlegPowerC 2024-09-16T14:29:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226806#M43595 <P>ADQuery is deprecated, I suggest using IdentityCollector instead.</P> Mon, 16 Sep 2024 14:39:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226806#M43595 Tobias_Moritz 2024-09-16T14:39:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226824#M43602 <P>But it is the same method (both read the event log&nbsp; in AD)</P> Mon, 16 Sep 2024 16:15:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226824#M43602 OlegPowerC 2024-09-16T16:15:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226846#M43606 <P>ADQuery actually uses WMI that is pushed from Active Directory versus Identity Collector, which reads the Event logs directly.<BR />In neither case does it read Logout events.<BR />I believe the only way to get an actual log out event is using an Identity Agent.</P> Mon, 16 Sep 2024 20:04:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Captive-portal-transparent-SSO-authentication-and-switch-user/m-p/226846#M43606 PhoneBoy 2024-09-16T20:04:53Z