4.16 Setup Session Invalidator feature

To further strengthen session management and reinforce secure user access, ZTrust now offers enhanced controls under the Session Invalidation Notification feature. This capability ensures that only the active session remains valid, thereby preventing unauthorized or unmonitored concurrent access.

Introduction

Session management is a critical component of identity and access control. ZTrust introduces refined session invalidation capabilities that enable administrators to define how multiple login sessions are handled, providing an added layer of control and security. These options help organizations enforce stricter login behaviors, mitigating the risk of unauthorized access through abandoned or shared sessions.

Previous Functionality

Previously, the Session Invalidation Notification section supported only the "Allow Maximum Login Sessions" option. This allowed administrators to configure the maximum number of concurrent sessions a user could maintain. Upon reaching the session limit, the system would automatically terminate the oldest active session to accommodate a new login.

New Feature: "Deny New Session"

With ZTrust V4.0.0, we have introduced a second option: "Deny New Session". When this setting is enabled and the configured maximum session limit is reached, any new login attempt is denied. The system does not invalidate older sessions, thereby enforcing the session limit strictly until an existing session is manually terminated or expires.

Benefits

• Stronger session control and visibility

• Prevents unauthorized concurrent logins

• Fully configurable based on organizational policies

• Supports compliance, risk management, and auditability

These new enhancements enable ZTrust administrators to tailor session behaviors to better suit compliance, risk, and operational requirements.

Follow the below steps to set up Session Invalidator feature

1. Login to ZTrust Admin Console.

   

   Fig. 4.15.a: Welcome page of session_invalidation realm
2. Click on Authentication.

   

   Fig. 4.15.b: Navigate to Authentication
3. Click on Duplicate and create a copy of Browser Flow.

Fig. 4.15.c: Duplate the browser flow

1. Provide any name. For example - Session Invalidation and click on OK.

Fig. 4.15.d: Give a name to the duplicated browser flow for session invalidation

1. Click on Duplicate.

Fig. 4.15.e: 'Session Invalidation' browser flow configuration page

1. Delete everything under Session Invalidation Forms.

Fig 4.15.f: Duplicated browser flow configuration page for Session Invalidation

1. Click on Add step.

Fig 4.15.g: Proceeding to add a new execution to Session Invalidation flow

1. Select Advanced Session Invalidator.

2. Click on Add.

3. For Advanced Session Invalidator, make the requirement as Required.

Fig 4.15.h: Changing the 'Requirement' of Advanced Session Invalidator

1. For Advanced Session Invalidator, click on settings.

Fig 4.15.i: Proceeding to configure Session Invalidator

1. Now two options now provide administrators with greater control over session management:

   • Allow Maximum Login Sessions: Allows new logins by terminating the oldest session once the session limit is reached.

   • Deny New Session: Prevents any new logins once the session limit is reached, unless an existing session is manually terminated or expires.

Fig 4.15.j: Configuring Session Invalidation

1. Click on Save.

2. Click on Action, and then Bind flow.

Fig 4.15.k: Proceeding to bind the login Session Invalidation flow

1. Select Browser flow from the dropdown menu.

Fig 4.12.6.j: Selecting a flow to bind Session Invalidation flow to

1. Click on Save.

Session Invalidation feature is configured now.