Hello,

When you have implemented SSO through a third party login service and the user logout from the SSO system, the session in Invision keeps alive. So the user is still logged in Invision and it could be a security problem for us in some scenarios.

Is there any way (through API call or configuration in invision's control panel) to close the invision's session or to sync the SSO session with the Invision session?

Thank you

How are you implementing "SSO"? Is this through a plugin, or are you using the Login handler system to allow users to login through a central point, but the user still needs to "login" when on the community?

Hi bfarber,

It's the second way, we set a custom login method on Invision Admin Panel that connects to our Identity Provider and when users are logged in the SSO system they still needs to push the "SSO login" button in Invision.

In that case, there's not going to be a direct built in way to notify the software that the user has logged out. Most likely, you will need to create a plugin on \IPS\Session\Front (the read() method in my experience) to check for session validity. The simplest method usually involves looking for a cookie from the front end, and assuming the user is logged out if it is not present.

Thank you for your answer bfarber