CirrusIs it possible to immediately remove an active session upon completion of an Access Policy? We assign SSO connections via branches of one large Access Policy and have an issue when cookies are re-used when used tabbed browsing.
Some sort of iRule using ACCESS::session remove upon completion?
CumulonimbusHi,
you can set session.max_session_timeout to 5 seconds after the policy completed:
when ACCESS_POLICY_COMPLETED {
if {some conditions} {
ACCESS::session data set "session.max_session_timeout" 5
}
}
NimbostratusHave the same need. Why keep these sessions around when the IdP SAML/SSO has completed? Like to clean them out.
Yup doesn't timeout for me either. So guess this isn't a solution but I wonder why change this in an iRule? For the access profile for the SAML/SSO change the default inactivity, access policy, and session timeout values. This should all happen inside of a few seconds but anticipate delays with browser redirect.
I'm setting these to 10/20/20 for NTLM based and so far it seems to be good and the sessions age out quickly.
Higher numbers if the user is being prompted for credentials. But seems to me that the access policy and the maximum session timeouts could be set the same since once IdP SAML/SSO completes the IdP is done and the user is now at the service provider.
Now the SP logout could come back in, but the authenticated session will be gone.