How to setup Session Invalidator feature

To further strengthen session management and reinforce secure user access, ZTrust now offers enhanced controls under the Session Invalidation Notification feature. This capability ensures that only the active session remains valid, thereby preventing unauthorized or unmonitored concurrent access.

Introduction

Session management is a critical component of identity and access control. ZTrust introduces refined session invalidation capabilities that enable administrators to define how multiple login sessions are handled, providing an added layer of control and security. These options help organizations enforce stricter login behaviors, mitigating the risk of unauthorized access through abandoned or shared sessions.

Previous Functionality

Previously, the Session Invalidation Notification section supported only the "Allow Maximum Login Sessions" option. This allowed administrators to configure the maximum number of concurrent sessions a user could maintain. Upon reaching the session limit, the system would automatically terminate the oldest active session to accommodate a new login.

New Feature: "Deny New Session"

With ZTrust V4.0.0, we have introduced a second option: "Deny New Session". When this setting is enabled and the configured maximum session limit is reached, any new login attempt is denied. The system does not invalidate older sessions, thereby enforcing the session limit strictly until an existing session is manually terminated or expires.

Benefits

  • Enhanced session control and visibility.

  • Greater security through stricter concurrent access enforcement.

  • Configurable according to organizational policies.

These new enhancements enable ZTrust administrators to tailor session behaviors to better suit compliance, risk, and operational requirements.

Follow the below steps to set up Session Invalidator feature

  1. Login to ZTrust Admin Console.

  2. Click on Authentication.

  3. Click on Duplicate and create a copy of Browser Flow.

  1. Provide any name. For example - Session Invalidation and click on OK.

  1. Click on Duplicate.

  1. Delete all except the Session Invalidation Forms.

  1. Click on Add step.

  1. Select Advanced Session Invalidator.

  2. Click on Add.

  3. For Advanced Session Invalidator, make the requirement as Required.

  1. For Advanced Session Invalidator, click on settings.

  1. Now two options now provide administrators with greater control over session management:

    • Allow Maximum Login Sessions: Allows new logins by terminating the oldest session once the session limit is reached.

    • Deny New Session: Prevents any new logins once the session limit is reached, unless an existing session is manually terminated or expires.

  1. Click on Save.

  2. Click on Action, and then Bind flow.

  1. Select Browser flow from the dropdown menu.

  1. Click on Save.

Session Invalidation feature is configured now.

PreviousAuthenticator Setup from Self-Service PortalNextHow to setup GDPR Compliant feature

Last updated