Disabling SSO for some applications

By: Mursel Koseer user 22 Jan 2025 at 5:32 a.m. CST

6 Responses
Mursel Koseer gravatar
Hey, We have two applications: one for employees (ERP) and one for clients (webshop). Employees can also be clients, but we don't want them to be automatically signed into the webshop. They need to log in with their client credentials. We didn't establish any trust relationships, but it seems that the session created by Gluu keeps you logged in across all apps within the same browser. How can we disable this? Thank you
Gluu 4.5 Ubuntu 22.04
closed

Answers

By Mohib Zico Account Admin 24 Jan 2025 at 7:23 a.m. CST

Copy
Mohib Zico gravatar
Hi Mursel, This is more like Authorization issue but a little bit customized. I am trying to summarize your requirement, correct me if I am wrong: - Two applications connected with Gluu Server. - ERP: for employees - Webshop: for clients - `ERP` is specifically for employees to use - `WebShop` can being used by both clients and employees. - Now you don't want your employees to log into `Webshop` with their employee credentials, which they can achieve ( you are suspecting ) by leveraging SSO session. Question is: - if `WebShop` only allows `client credentials` ( which is separate than Employee credential ), then even with SSO session, they won't be able to use WebShop. WebShop design should reject anyone other than proper client credential anyway. Thoughts?

By Mursel Koseer user 24 Jan 2025 at 7:41 a.m. CST

Copy
Mursel Koseer gravatar
Hi Zico, Yes, those are the requirements. When there is no active session, meaning you are not logged into any of the webshop or ERP, and you first log into the webshop, I have implemented a check in the 'Person Authentication Script' to ensure the user has the necessary User Permission to log in. However, if a session has already been established by other applications (for example, the ERP), the script does not execute because a session already exists.

By Michael Schwartz Account Admin 24 Jan 2025 at 7:53 a.m. CST

Copy
Michael Schwartz gravatar
Zico is correct, your application is getting back an id_token because the browser is recognized by Gluu. The issue is... your application is not inspecting the id_token, and deciding that it's not sufficient. What is the architecture of these two applications? Are they custom developed or SaaS? If you can share more details about the apps, we can point you in the right direction. BTW, as you do know the client_id's of these two applications, if you really do want to enforce security centrally, you can use the "Post Authn" interception script, although that may only be available in Flex. Zico can check...

By Mursel Koseer user 24 Jan 2025 at 7:59 a.m. CST

Copy
Mursel Koseer gravatar
The applications are custom-built using .NET.

By Mohib Zico Account Admin 02 Feb 2025 at 10:58 p.m. CST

Copy
Mohib Zico gravatar
>> BTW, as you do know the client_id's of these two applications, if you really do want to enforce security centrally, you can use the "Post Authn" interception script, although that may only be available in Flex. Zico can check... I'll check the situation with Post-AuthN script in CE first.. .will share update.

By Mursel Koseer user 10 Feb 2025 at 5:56 a.m. CST

Copy
Mursel Koseer gravatar
Hi, We fixed it by adding the "prompt=login" parameter on the request.

Post an answer