Check if a user has an active session via the back channel using session_index

Owned by Keith Uber
Last updated: 2019-06-18 by Former user (Deleted)
2 min read

After a user has logged in interactively, a downstream non-browser application can request the status of user session via a back channel request.

Ubisecure SSO includes the /uas/status endpoint for this purpose.

OAuth id_tokens contain the Ubisecure extension session_index which can be used to resolve current SSO session status for a given user session.

Step-by-step guide


  1. For the request, you need the EntityID of the SAML2 application or the client_id of the OAuth2 application.

  2. The id_token and userinfo response contains an OAuth2 extension called session_index. You must pass this session_index value to the non-interactive application and then call our /uas/status endpoint in the back channel using the sessionIndex and entityID parameters.
    The session_index value cannot be used to retrieve user information, only for finding out if there is a valid session or not.

    e.g.

    https://XXXXXX.example.com/uas/status?entityID={client_id}&sessionIndex={session_index}&type=application/json

    The response is by default in JSON format. Other formats are supported if sending the query parameter “type”

    “application/xml” or “application/json” for XML or JSON respectively.

  3. If there is a session, the request message looks like this:

    Request
    https://mno.ubidemo.com/uas/status?entityID=c495bb59-f0ae-430a-9830-ca8228aa58fe&sessionIndex=_d6ee2628b0d493809650c06b2653083511d6e474

    The response is in JSON format

    Response
    {
  "valid": true,
  "issueInstant": 1499433097694,
  "refresh": false,
  "entityID": "c495bb59-f0ae-430a-9830-ca8228aa58fe",
  "sessionIndex": "_d6ee2628b0d493809650c06b2653083511d6e474",
  "sessionNotOnOrAfter": 1499436584471,
  "authnInstant": 1499432984462
}

  4. If you include the refresh parameter, the user session is extended:

    Request
    https://mno.ubidemo.com/uas/status?entityID=c495bb59-f0ae-430a-9830-ca8228aa58fe&sessionIndex=_d6ee2628b0d493809650c06b2653083511d6e474&refresh=true

    Notice how the sessionNotOnOrAfter value increases in the response

    Response
    {
  "valid": true,
  "issueInstant": 1499433264743,
  "refresh": true,
  "entityID": "c495bb59-f0ae-430a-9830-ca8228aa58fe",
  "sessionIndex": "_d6ee2628b0d493809650c06b2653083511d6e474",
  "sessionNotOnOrAfter": 1499436864743,
  "authnInstant": 1499432984462
}

  5. If there is no session, the message looks like this:

    Invalid session response
    {
   "valid":false,
   "issueInstant":1495183121690
}

 

Consider system performance when designing when and how often to make such requests to prevent unnecessary load.



Ubisecure Privacy Policy & Cookie Statement