mobile icon indicating copy to clipboard operation
mobile copied to clipboard
verified publisher icon MerginMaps

User cannot login via SSO if another user was logged via SSO

Open RastoHu opened this issue 7 months ago • 1 comments

If one user was already logged via SSO in mobile app, second user cannot login. After authentication of second user, the first user is still logged in.

Steps to reproduce:

  1. in mobile app login via SSO with user <your_lutra_email>@lutraconsulting.co.uk
  2. go through Microsoft authentication
  3. Sign out
  4. go to sign in screen in the app and click Continue with SSO
  5. login with second user [email protected] -> Microsoft authentication is skipped and first user is still logged in

Application (+ app version, build, operating system)

  • Current Android app version: 2025.3.1
  • Android version: 14
  • Mobile browser: Chrome 137.0.7151.115

Note: to avoid this behavior, you must open the browser in the mobile device and clear browsing data.

RastoHu avatar Jun 27 '25 12:06 RastoHu

Yeah there are several options how to prevent that. I think in real environments this will be not issue. To avoid this from plugin or mobile :

  • we could send forceAuthn=true Param to /authorize request.

  • we could instruct admins to revoke session for user in entra admin portal

  • if customers will have higher plan, they can make more detailed option on how to make sessions shorter in Entra Future option

  • in future we could sign out user not just by removing token

MarcelGeo avatar Jun 27 '25 15:06 MarcelGeo

After talking to Ory support, they say this is more of an edge-case. forceAuth should be used only for specific customers if they require so as it basically breaks true SSO (you would need to sign in multiple times, not once! :) )

tomasMizera avatar Jul 01 '25 08:07 tomasMizera