An lower authentication level access management system may enable users to have access to one or more different systems and applications. Each of these systems and applications may utilize different access control policies and request different credentials (e.g., user names and passwords). A user wanting to access multiple resources protected by an access management system may need to be authenticated by credentials provided to the access management system. A successful authentication gives the user authorization to access the protected resources, based on their assigned access privileges.
If a user wants to access multiple resources protected by the access management system, the access management system may determine whether the user is authenticated to access the multiple resources requested by a user. In some instances, authentication of a user for one resource may suffice for accessing other resources; otherwise, the access management system may request additional credentials from the user. Upon authentication to access multiple resources, the user may not need to re-authenticate to access additional resources. In such instances, the access management system may maintain a single session, such as a single sign-on session (SSO), which provides a user with access to multiple resources after authentication.
An access management system may provide the user flexibility with regard to (1) where the user may perform a session login, (2) the number of simultaneous sessions that the user may initiate, and (3), which privileges are associated with a session. However, because users may only be able to end a session by performing a logout at the device where the session was initiated, this flexibility may comprise enterprise security in certain situations. For example, if a user creates a session at a device and then loses the device, the user may be unable to end the session at the lost device. In another example, if a user creates a session at a public terminal and then forgets to end the session, it may become inconvenient for the user to end the session if the user moves to another geographic location before remembering that the session was not ended. In another example, if a user that is connected to a remote device over a VPN creates a session at the remote device before the VPN connection fails, the user may be unable to end the session at the remote device if the user is unable to re-establish the VPN connection.
Because non-persistent sessions generally expire automatically after a period of time, the problems described in the above examples may eventually resolve themselves. However, prior to automatically expiring, these sessions are at risk of being abused by unauthorized individuals to access protected resources of the enterprise. Additionally, for persistent sessions, the risk is magnified.