Previously we used Overwritten Session view only when user with an active session (created by SAML authentication provider) logged in again via SAML IdP initiated login with a different user.
With the changes introduced in #53010 we'll have more cases when an active session can be overridden implicitly and potentially confuse the user as the result. In such cases it'd be beneficial to warn them with Overwritten Session view. At the same time we shouldn't show this view if user initiates new login from Login Selector UI.
Right now I can think of the following cases where showing Overwritten Session would be beneficial:
-
If user has an active session (with any provider, except for SAML) and they perform SAML IdP initiated login
-
If user has an active session (with any provider, except for OpenID Connect) and they perform OpenID Connect IdP initiated login
-
If user has an active SAML session and they perform SAML IdP initiated login for another realm or user
-
If user has an active OpenID Connect session and they perform OpenID Connect IdP initiated login for another realm or user
-
If user has an active cookie with the expired refresh token acquired in exchange to Kerberos TGT and they successfully perform a new SPNEGO for another user (this one is tricky and we may not be able to cover this use case since this is a multi-step process that can also happen for AJAX requests)
Previously we used
Overwritten Sessionview only when user with an active session (created by SAML authentication provider) logged in again via SAML IdP initiated login with a different user.With the changes introduced in #53010 we'll have more cases when an active session can be overridden implicitly and potentially confuse the user as the result. In such cases it'd be beneficial to warn them with
Overwritten Sessionview. At the same time we shouldn't show this view if user initiates new login from Login Selector UI.Right now I can think of the following cases where showing
Overwritten Sessionwould be beneficial:If user has an active session (with any provider, except for SAML) and they perform SAML IdP initiated login
If user has an active session (with any provider, except for OpenID Connect) and they perform OpenID Connect IdP initiated login
If user has an active SAML session and they perform SAML IdP initiated login for another realm or user
If user has an active OpenID Connect session and they perform OpenID Connect IdP initiated login for another realm or user
If user has an active cookie with the expired refresh token acquired in exchange to Kerberos TGT and they successfully perform a new SPNEGO for another user (this one is tricky and we may not be able to cover this use case since this is a multi-step process that can also happen for AJAX requests)