1 of 3

Limit users sessions

As a security measure, Akamas lets you enforce a limit on the number of concurrent sessions per user, by default, this is set to terminate the oldest sessions and keep only a restricted number alive. If you wish to change the behavior limit, you can do so by configuring the Akamas realm in Keycloak.

The section Local Users explains how to properly configure users stored in Keycloak. The page Identity Provider users explains how to apply the same limit for users managed by an Identity Provider.

Local users

First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

On the Authentication page, select the "browser" flow and scroll the "User session count limiter" entry.

On the row "User session count limiter", click on the cog icon. From here you can choose the maximum concurrent sessions for each user, and the behavior when the maximum number is reached. Select "Deny new session" to deny new accesses. if previous sessions are not properly terminated, you may need to delete them from the Keycloak console under the Users section.

Identity provider users

If you have configured ore or more Identity Providers, you can also limit the number of concurrent user sessions. First, access the Keycloak admin console with the instructions provided on the page Accessing Keycloak admin console.

Click on the "create flow" button, provide a name, and then select the flow type "Basic Flow" and click on create.

Now click on "add execution"

A dialog pops up with a list of possible actions, filter the results with the limit keyword.

Select "User session count limiter" and click on "Add".

Set this new step as "Required" from the drop-down then click on the cog icon to edit its properties

Give it a meaningful alias and type in the maximum concurrent session value you desire. Select the behavior "Deny new session" from the drop-down list. Type in a valid message in the textbox "Optional custom error message" and click on "Save".

Now go to the identity provider page and click on the Identity provider you want to limit.

Scroll down to the bottom, click on the "Post login flow" dropdown, and select the new step you just created then click on the "Save" button.