We worked on a project where we need to implement:
- single-session, https://nvd.nist.gov/800-53/Rev4/control/AC-10, and,
- session-timeout, https://nvd.nist.gov/800-53/Rev4/control/AC-12, on Jupyterhub.
Our system has FedRAMP Certified.
The architecture of our system is:
- Single Sign-On - Keycloak
- Jupyterhub v1.0.0
Our desire is when a user, who is already logged in, in a browser, when he authenticates in another browser, the previous session is automatically logged out.
To ensure that you have only one active session for each user when the username of the user is logged into the system, we disable the previous session, for this:
- We destroy the previous SSO session.
- We destroy the previous Jupyterhub session.
- We destroy any pod that may have been created. In this way, we disconnect any pod and process execution that has been started.
Then, we recreate the new user session.
The session timeout ensures that when there is inactivity the user’s session is completely eliminated. See the guide above.
When the user is authenticated on Jupyterhub, when his session is closed due to inactivity, we end both the session in SSO when we end any pod that may be running.
If you want to see our code, it’s available.
What do you think about this?