Concurrent Session-Based Access Control Issue at the Sub-Organization Level in IS 7.0

[sanjulamadurapperuma]

Description

When trying to implement concurrent session-based access control for sub-organizations using the steps defined in the official documentation[1], the user is able to log in to the application for the first time. However, when attempting to use a new tab in the same browser, it asks for the current session to be terminated.

Ideally, the active session limiter should not be executed when logging in from the same browser, as the session already exists. In this case, authentication steps in the login flow should be skipped.

However, during the sub-organization login flow, a re-authentication is triggered if Organization SSO is the authenticated IdP in the first step [2]. This forces the authenticators added in the second step to execute as well.

Due to this behavior, the issue does not occur for federated user logins with other IdPs.

This needs to be fixed.

[1] - https://is.docs.wso2.com/en/latest/guides/authentication/conditional-auth/concurrent-session-based-template/
[2] - https://github.com/wso2/carbon-identity-framework/blob/v7.0.78/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java#L293

Steps to Reproduce

1. Log in to the console, create an application, and add "Sign in with SSO" as a login option in the "Login flow."
2. Create a sub-organization and share the application created above with the sub-organization.
3. Switch to the sub-organization and add a user to the sub-organization.
4. Switch to the parent organization, edit the application created, and follow the steps provided in the official documentation[1].
5. Try to log in to the application using the "Sign in with SSO" option and provide the sub-organization ID.
6. Use the credentials of the user in the sub-organization, and it will allow the user to log in.
7. Open a new tab in the same browser and try to access the same application. You will see the following behavior:
   • It asks the user to terminate the existing session (maximum session count is 1) even with the same browser.
8. Terminate the session, and it will allow you to access the application.
9. Open a new tab again and try to access the same session. Here, it will ask for the credentials of the sub-org user, which seems like it is terminating the sub-org session from step 7.

Version

v7.0.0

Environment Details (with versions)

No response

[SujanSanjula96]

Fix to handle above issue for both cookie based and sessionId based SSO - wso2-extensions/identity-local-auth-basicauth#227