[OPENAM-16093] RFE: accountLockout should also invalidate or remove current session Created: 02/Apr/20  Updated: 03/Apr/20  Resolved: 03/Apr/20

Status: Closed
Project: OpenAM
Component/s: CTS, session
Affects Version/s: 6.5.2
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: David Bate Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is duplicated by OPENAM-10566 Once a User Status is set to inactive... Reopened
Support Ticket IDs:


Account Lockout functionality only affects Authentication. Current active sessions are still able to be used. This is a Request for Enhancement to the Account Lockout feature for AM to remove or invalidate the active sessions for a user who gets locked out.

 For example given a username:

1 - Search and delete all active tokens in CTS
2 - Set inetUserStatus (or equivalent) to Inactive 
3 - Audit the above somewhere

Either the API (better) or direct LDAP calls could be used for this.



Comment by Andy Hall [ 02/Apr/20 ]

David Bate Please attach a support ticket.

And is this using trees or chains?



Comment by Bipin Kalawade [ 03/Apr/20 ]

Support ticket: 48353

We are still on 5.1.1, however, the feature we are looking to implement at getSessionInfo or validate. So for some reason (as explained in ticket) if user's active status is revoked then we need to kill user's current active session.

To answer specifically we are still using authentication modules and chains.

Generated at Mon Nov 30 14:48:24 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.