Isabella Eistetter Posted January 21, 2019 Posted January 21, 2019 Hello, When you have implemented SSO through a third party login service and the user logout from the SSO system, the session in Invision keeps alive. So the user is still logged in Invision and it could be a security problem for us in some scenarios. Is there any way (through API call or configuration in invision's control panel) to close the invision's session or to sync the SSO session with the Invision session? Thank you
bfarber Posted January 21, 2019 Posted January 21, 2019 How are you implementing "SSO"? Is this through a plugin, or are you using the Login handler system to allow users to login through a central point, but the user still needs to "login" when on the community?
Isabella Eistetter Posted January 22, 2019 Author Posted January 22, 2019 Hi bfarber, It's the second way, we set a custom login method on Invision Admin Panel that connects to our Identity Provider and when users are logged in the SSO system they still needs to push the "SSO login" button in Invision.
bfarber Posted January 22, 2019 Posted January 22, 2019 In that case, there's not going to be a direct built in way to notify the software that the user has logged out. Most likely, you will need to create a plugin on \IPS\Session\Front (the read() method in my experience) to check for session validity. The simplest method usually involves looking for a cookie from the front end, and assuming the user is logged out if it is not present.
Isabella Eistetter Posted January 23, 2019 Author Posted January 23, 2019 Thank you for your answer bfarber
Recommended Posts
Archived
This topic is now archived and is closed to further replies.