Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
OlegPowerC
Participant

Captive portal transparent SSO authentication and switch user (logout/login)

Hello!

I was configure transparent SSO (browser based authentication) and it work.

I login in my test VM and open browser, try to open blocked URL I get notification with my username (Testuser1).

I logout and login as Testuser2 and do it again and get notification but user is Testuser1.

If i execute pdp control revoke_ip <my vm ip> it work as expected.

What Ican I resilve this issue?

Thank You!

0 Kudos
5 Replies
Tobias_Moritz
Advisor

As far as I know, this is by design.

Please correct me, if I'm wrong.

When you use Identity Awareness Browser-Based Authentictation with transparent SSO (autoauth), there is no browser tab with captive portal site which will or can stay open for the full user user session, so you cannot use the portal setting "Log out users when they close the portal browser", right?

And without that, the pdp just gets no notification, that user1 logs out of the machine and user2 logs in. PDP still uses that session entry entry for the ip address and does not reinitate authentication flow over captive portal.

If you need to resolve that, you would have to use Identity Agents or Identity Collector. With using Identity Collector, you get an update in pdp side during login of user2. This will logout user1 IA session because of an implicit "assume one user per ip address setting".

When you are concerned that someone malicous could re-use user1s ip address in your network before your configured IA session timer expires, you have to use Identity Agents (with a short agent session timeout), because in doing that, user1 session gets logged out when user1 logs out from the machine (while connected to network) or after the agent session timeout which can be much shorter that the session timeout for Captive Portal or Identity Collector due to Agent keepalive.

0 Kudos
OlegPowerC
Participant

Thank You.

I will use AD Query and agent instead captive portal.

 

0 Kudos
Tobias_Moritz
Advisor

ADQuery is deprecated, I suggest using IdentityCollector instead.

0 Kudos
OlegPowerC
Participant

But it is the same method (both read the event log  in AD)

0 Kudos
PhoneBoy
Admin
Admin

ADQuery actually uses WMI that is pushed from Active Directory versus Identity Collector, which reads the Event logs directly.
In neither case does it read Logout events.
I believe the only way to get an actual log out event is using an Identity Agent.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events