Hello,

As per discussion, we will not perform single-sign-out if the user logs out or removes card etc. The session expires only when the token expires.
Let me know if you have different thoughts on this one.

Thanks,

Clearing the needinfo of mine, as the expected behavior of smart card or even the working of smart card with Keycloak/RHSSO is session get immediately revoked after removal of smart card from reader. Leaving the final call for development or PMs, what behavior we would like to see in case of foreman.

The SmartCard auth workflow integration we have at the moment does not treat SmartCard eject scenario differently. We've discussed this behavior within Devs and with PM and our opinion is to get this out with the current behavior and get feedback from the field. 

I agree with you about special handling for SmartCard ejects, however more work and input from RHSSO team is required to get the behavior right. Adding Dana and BK for their information.

@Anurag @Tomer @Rahul, Please provide the steps for configuring the mechanism helping users to configure to re-authenticate. Please provide the time will take to sign-out from satellite after smart card ejection.

Session time out is configurable from settings regardless of the authentication mechanism. When session times out, the user is redirected to the login page. 
In the case of SSO, if the user is still logged into SSO they should be automatically re-authenticated. 
If after the session times out the smart card is no longer connected I would expect the SSO authentication to fail and thus not re-authenticate the user.

Correction: in the case of keycloak, the session timeout is defined by keycloak and passed as the 'exp' section of the token. Once that timeout is reached, user will be redirected to SSO login page. If the keycard has been removed by then, they will not be able to login again.

Since there is a technical limitation on a browser being able to recognize a CAC card ejection. For now the best we can agree to is this: Whenever the satellite session invalidates, we should look to re-authenticate. If the SSO session is invalid, we should force the user to re-auth.  This means there is an acknowledged window of opportunity between when the CAC card is removed and when the session times out that will allow access until the session times out. 

We will look to determine in the future how we can better facilitate invalidating the session when the CAC card is removed. Until then the SSO Admin will have to set a reasonable timeout for sessions for his organization and recognize the limitations of the browser for CAC removal. Alternate security precautions at the OS or Physical access level should be considered by the SSO Administrator.

Hello,

Matt is correct :) To clarify further, we must leave the access token and refresh token lifetime as the default values defined by Keycloak which is 5 minutes and 30 minutes respectively. Also, bear in mind that customers may change this depending on their own policies.

Tomer, I need to check if the `the default values defined by Keycloak. Also, bear in mind that customers may change this depending on their own policies.` part of your comment can be implemented or not. 

In any case, this BZ should be closed as WONTFIX. Feel free to open it, if you feel otherwise.

Thanks,

Hello,

Sorry, wrong sentence copied in the previous comment!

I meant:

Tomer, I need to check if the `If the keycard has been removed by then, they will not be able to login again.` part of your comment can be implemented or not. 

Thanks,