Session Governance

Summary

Keymate extends standard session management with a hierarchical session model, external system session mapping, and event-driven session termination. The platform inherits baseline session lifecycle controls — creation, idle timeouts, maximum lifetime, and SSO sessions — from the underlying identity server. On top of these, Keymate adds parent-child session relationships, the ability to map platform sessions to sessions in external systems, cascade termination that propagates session invalidation through the hierarchy, and automatic session termination triggered by security events such as user account disablement.

Why It Exists

Enterprise environments require session coordination across multiple systems. When a user authenticates through the platform, downstream applications and external systems may create their own sessions. Without a hierarchical model, terminating a user's access requires individually revoking sessions in every system — a slow and error-prone process. Session governance ensures that terminating a parent session cascades to all dependent sessions, and that security events like account disablement trigger immediate, comprehensive session cleanup.

Where It Fits in Keymate

Sessions bind to organization tickets and tokens. When a session terminates, associated tokens become invalid. The logout model provides the operational interface for triggering session termination at various scopes. Session state feeds into enhanced introspection — when introspection checks whether a token is active, it verifies the underlying session's status.

Boundaries

This page covers session hierarchy, external session mapping, cascade termination, and event-driven termination. It does not cover:

Token exchange and context switching — see Token Exchange Model
Logout scopes and async logout operations — see Logout Model
Token claim structure — see Token Claims & Context

How It Works

Inherited Session Lifecycle

The platform inherits standard session lifecycle controls from the identity server. These include session creation upon authentication, configurable idle timeouts that invalidate sessions after a period of inactivity, maximum session lifetime limits, and SSO session support that allows a single authentication to establish sessions across multiple applications. These capabilities are not Keymate extensions — the underlying identity infrastructure provides them.

Parent-Child Session Hierarchy

Keymate introduces a parent-child relationship between sessions. A parent session (typically the platform-level authentication session) can have multiple child sessions representing downstream application or service sessions. This hierarchy enables the platform to track the full scope of a user's active sessions across systems and to manage them as a coordinated unit rather than as isolated, independent sessions.

External Session Mapping

The platform maps its own sessions to sessions in external systems. When a user's platform authentication results in session creation in an external application, Keymate records the mapping between the platform session and the external session. This mapping enables the platform to include external sessions in lifecycle management operations — particularly termination — without requiring external systems to poll for session status.

Cascade Termination

Terminating a parent session cascades to all child sessions in the hierarchy. When explicit logout, timeout, or administrative action invalidates a parent session, the platform terminates all child sessions linked to that parent. This cascade flows downward only: terminating a child session does not affect the parent or sibling sessions.

Event-Driven Session Termination

The platform responds to security events by automatically terminating affected sessions. When an administrator disables a user account, the platform terminates all active sessions for that user without requiring a separate manual logout action. This event-driven approach ensures that access revocation takes effect immediately rather than waiting for session timeouts or manual intervention.

Diagram

Example Scenario

Scenario

An administrator detects that a user account has been compromised and disables the account. The user has active sessions in the platform and two external applications.

Input

Actor: Administrator performing account disablement
Resource: User account with active parent session and two child sessions mapped to external systems
Action: Disable user account
Context: User has an active parent session with child sessions in Application A and Application B

Expected Outcome

Applied — The platform detects the account disablement event, terminates the parent session, and cascades termination to both child sessions including the mapped external system sessions. Tokens associated with all terminated sessions become inactive upon introspection.
Why: Event-driven termination responds to the account disable event automatically, and cascade termination propagates through the full session hierarchy

Common Misunderstandings

"Terminating a child session terminates the parent" — No. Cascade flows downward only. Terminating a child session leaves the parent and sibling sessions active.
"External system sessions are terminated by the external system polling for status" — No. The platform actively terminates mapped external sessions as part of cascade termination rather than relying on external systems to detect session invalidation.
"Session timeout behavior is a Keymate extension" — No. Idle timeouts, maximum lifetime, and SSO session support are inherited from the underlying identity server. Keymate extends session management with hierarchy, mapping, and event-driven termination.

warning

Cascade termination flows downward through the session hierarchy. If you need to terminate all sessions for a user regardless of hierarchy, use user-level logout from the logout model rather than targeting individual parent sessions.

Design Notes / Best Practices

Map external system sessions to platform sessions at session creation time to ensure cascade termination reaches all dependent sessions.
Use event-driven termination for security-critical account actions (disablement, credential reset) to ensure immediate session cleanup.
Design child session integrations to handle termination signals gracefully — the cascade may arrive while the external system is processing a request.

tip

Combine session hierarchy with the logout model's status tracking to verify that cascade termination reached all child sessions, including those in external systems.

Coordinated session termination across platform and external applications
Immediate access revocation when a user account is disabled
Tracking the full scope of a user's active sessions across integrated systems

Logout Model

Scoped logout operations that trigger session termination

Token Exchange Model

Context switching that operates within a session

Token Claims & Context

Claims validated against session state via introspection

Organization Model

Organizational context bound to sessions via tickets

Summary​

Why It Exists​

Where It Fits in Keymate​

Boundaries​

How It Works​

Inherited Session Lifecycle​

Parent-Child Session Hierarchy​

External Session Mapping​

Cascade Termination​

Event-Driven Session Termination​

Diagram​

Example Scenario​

Scenario​

Input​

Expected Outcome​

Common Misunderstandings​

Design Notes / Best Practices​

Related Use Cases​

Related Docs​