SSO Session Management
Understand Passport's session model — how SSO sessions are established, how lifetime and idle timeout policies work, and how Single Logout propagates across all connected applications.
Session Architecture
Passport maintains two distinct session layers:
Passport Session
The master session at the IdP level. Established once when the user first authenticates. Lives in the IAM_Sessions table. Controls how long the user can access connected applications without re-authenticating to Passport.
SP/Client Session
The local session maintained by each application after it receives a valid assertion. Managed entirely by the SP. Passport has no visibility into SP session state — only the SAML SessionIndex or OIDC refresh token links them.
Session Lifetime Policies
| Policy | Default | Configurable | Description |
|---|---|---|---|
| Absolute session lifetime | 8 hours | Per tenant | Maximum time a Passport session is valid regardless of activity |
| Idle timeout | 2 hours | Per tenant | Session expires if no SSO activity within this window |
| Remember-me duration | 30 days | Per tenant | Extended session when user selects "remember this device" |
| SAML assertion window | 5 min | Per consumer | NotOnOrAfter in assertion — SP must process within this window |
| OIDC access token | 15 min | Per client | Access token validity — refresh token extends the session |
| OIDC refresh token | 7 days | Per client | Refresh token validity — rotated on each use |
Session Establishment Flow
First SSO Request
No Passport session cookie exists. Passport presents the login form. User authenticates with username + password (and MFA if configured).
Session Created
Passport creates an entry in IAM_Sessions with a cryptographically signed session token. A HttpOnly; Secure; SameSite=None cookie is set on the Passport domain.
Assertion Issued
Passport issues the SAML assertion or OIDC token to the requesting application. The SAML assertion includes the SessionIndex which links the SP session to the Passport session for SLO purposes.
Subsequent SSO Requests
When the user visits a second application, the Passport session cookie is present. Passport validates the session and issues a new assertion immediately — no login prompt. This is the SSO experience.
Session Expiry
When the session exceeds the absolute lifetime or idle timeout, the session is invalidated. The next SSO request triggers a fresh authentication prompt.
Single Logout (SLO)
SAML Single Logout ensures that when a user logs out from one application, all other SSO-connected applications are also notified and can terminate their local sessions.
SLO Flow
Initiating SP sends LogoutRequest
POST /passport/saml/slo
SAMLRequest=base64-encoded-LogoutRequest
&SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
&Signature=...Passport validates the request
Validates the LogoutRequest signature, extracts the NameID and SessionIndex, and locates the corresponding Passport session.
Fan-out LogoutRequests to all SPs
Passport sends an SLO LogoutRequest to every SP that participated in the session (identified by SessionIndex). These are sent in parallel with a configurable timeout.
Session Destroyed + LogoutResponse
Passport destroys the session regardless of SP response status. Returns a LogoutResponse to the initiating SP with success status.
Passport sends SLO requests to all SPs but does not retry on failure. If an SP is unavailable during SLO, its local session may remain active until it naturally expires. This is standard SAML SLO behavior — not a Passport limitation. Design SP session lifetimes accordingly.
Session Admin Operations
// List all active sessions for a user
GET /passport/admin/users/{userId}/sessions
Authorization: Bearer {admin-token}
// Forcibly terminate a specific session
DELETE /passport/admin/sessions/{sessionId}
Authorization: Bearer {admin-token}
// Terminate all sessions for a user (account lockout scenario)
DELETE /passport/admin/users/{userId}/sessions
Authorization: Bearer {admin-token}
{ "reason": "security-incident", "notifyUser": true }