Configuring Session Revocation

Session revocation is configured in Access.

Before you begin 

  • Verify the following before configuring session revocation:
    • You have an Access deployment with a UEM.

    • The Access administrator has Common Platform Services (CPS) role in UEM.

      Cloud: For information on assigning roles, see “Assigning Roles to Users” in the Cloud Administrator Guide or click Help in the Cloud administrative portal.

      Core: For information on assigning roles, see the Core Delegated Administration Guide.

    • Common Platform Services Notifications is enabled in UEM.

      Cloud: Go to Admin > Common Platform Services Notifications, and enable Common Platform Services Notifications.

      Core: From the Core command line interface (CLI), enter the following command in CONFIG mode - activemq

    • Session tokens are revoked if the device state is retired or non-compliant as reported by the UEM to Access.

      For information about configuring compliance polices, see your UEM documentation.

      Cloud: See “Policies” in the Cloud Administrator Guide or click Help in the Cloud administrative portal.

      Core: See the Core Device Management Guide.

    • Users are registered LDAP users with custom attribute of userPrincipalName and objectGUID in a  UEM.

      Cloud: See Configuring LDAP in Cloud for session revocation.

      Core: See Configuring LDAP in Core for session revocation.

    • Port 8883 in the firewall is open to allow Access to pick up queued up events.
  • For Office 365
    • A federated pair with Office 365 and ADFS configured in Access
    • An app registration for the Access revocation service in Microsoft Azure. This set up provides Access permission to revoke session tokens for Office 365.
      For information about creating an app registration for the Access session revocation service, see the knowledge base article
      Configuring an application in Azure for the session revocation service (SRS) for Office 365 (Azure AD). Make a note of the Azure directory ID, application ID, and the secret key.
  • For G Suite
    • A federated pair with G Suite and any appropriate IdP configured in Access.
    • Generate a service account key file using Google API console. This set up provides Access permission to revoke session tokens from G Suite.
      For more information about creating the service account key file, see the knowledge base article Configuring G Suite for the session revocation service (SRS). Make a note of the G Suite service account key.

Procedure 

  1. In Access, go to Profile > Session Revocation.
    The Service Provider Configuration page displays.
  2. In the Service Provider Configuration page, click +Add Configuration.
  3. For service provider, click Office 365 or G Suite appropriately.

  4. Enter the following information.

    Item

    Description

    Name

    Enter a name for the configuration.

    Add Description

    Add a description for the configuration.

    Configuration for Office 365

    Azure Directory ID

    Enter the Azure directory ID.

    Application ID

    Enter the application ID from the app registration you created for the Access session revocation service in Azure.

    Secret key

    Enter the Azure secret key from the app registration you created for the Access session revocation service in Azure.

    Configuration for G Suite

    G Suite Service Account Key

    Service account key file in JSON format.

    To obtain this file, follow KB article:

    G Suite administrator Email ID

    Enter the Super Admin email ID.
  5. Click Save.