Limit concurrent user sessions

To limit the number of sessions a user can run at once, configure a Keycloak authentication flow. The flow that you must configure depends on how you authenticate users:

  • Configure a browser flow if you use local or LDAP/AD authentication.

  • Configure a post-sign in client flow if you use SSO.

Note
 The browser flow is internal to Keycloak and can’t be modified, so you must make a copy of it first.

In addition, to limit concurrent sessions for API access, you must set up a Domino First Broker Login flow.

You can limit the number of active user sessions that a user can have open at one time. When a user reaches the user session limit, they must end their current user sessions before they begin a new session. You can stop user sessions from the Keycloak admin console, or users can sign out on their own.

Use Keycloak’s user management

Concurrent user session limits must be applied individually to each flow. If you have multiple clients or flows, you must add a concurrent user session limit for each one.

Browser flow for Local and LDAP/AD authentication

  1. Copy the default browser flow (this default flow can’t be customized directly).

  2. Click the copy of the default flow.

  3. Click the <Flow Name> Forms row from XYZ.

  4. From Actions, click Add Execution.

  5. Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter if the limit should be applied to all the users in a realm. A realm is the Keycloak version of a tenant.

  6. Return to the flow page.

  7. Set the execution you created to Required.

  8. From the Actions menu, click Config.

  9. Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.

  10. Click Clients > domino-play.

  11. In Authentication Flow Overrides, from Browser Flow, click your copied browser flow, and click Save.

First broker flow for API access

  1. Copy the direct grant flow (this default flow can’t be customized directly).

  2. Click the copy of the default flow.

  3. Click Add Execution on the Actions menu.

  4. Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter, if the limit should be applied to a group of users.

  5. Return to the flow page.

  6. Set the execution you just created to Required and click Config from the Actions menu in the same line.

  7. Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.

  8. Click Clients > domino-play.

  9. In Authentication Flow Overrides, from Direct Grant Flow, click your copied direct grant flow, and click Save.

SSO version

Unlike other kinds of flows, you can’t directly add a user session limit to a client authentication flow. However, you can still limit the number of user sessions if you add a flow that executes after the user signs in:

  1. From the Keycloak sidebar, click Authentication.

  2. Click New on the Flow Definition page.

  3. Name the new flow, set the flow type to generic and click Save.

  4. Click Add Execution on the Actions menu.

  5. Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter if the limit should be applied to a group of users.

  6. Return to the flow page.

  7. Set the execution you just created to Required and click Config from the Actions menu in the same line.

  8. Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.

  9. From the sidebar, click Identity Providers and click your SSO provider.

  10. Open the Post Login Flow menu and click the flow you just created.

  11. Click Save.

Next steps