When a session in JAM has ended after a period of set inactivity (configuration: Jam Admin Console->Security), the system offers to "Log in again". When choosing this button, the system automatically authenticates the user without asking for a username and password.
- Observed in browsers with cleared cookies and cache
- Observed even in Incognito browser
- "Remember me" was never clicked by the customer
Otherwise when choosing "Account Settings->Log out" or the logout button in the window "Session Information/ Your session will expire soon", the session is closed and the user has to retype their username and password -- this should be the expected behavior with the session timeout as well.
Customer is using JAM with IAS (not connected to BizX).
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
SAP Jam Collaboration
Reproducing the Issue
- Login to JAM
- Let it timeout and wait for the "Session Timed Out" window prompt
- Click "Log in again"
It will not redirect you to the login page but will automatically authenticates you without asking for your login credentials.
As per engineering team, from the network trace for the session timeout scenario, they have found that there was no logout request from Jam to IAS throughout the course of the testing -- from Logging in, Session timeout and Logging in again.
As per system design, SAP Jam does not send logout request to its IdP(IAS) upon a session timeout. While the Jam session does get terminated upon session timeout, the IAS session does not.
So, unless the IAS session can also be configured to timeout after the same (or less) time duration than Jam, then the session time out "log in again" operation in Jam will just be re authenticated through IAS with the existing session (without asking the user to enter password again) when it receives the new authentication request from Jam.
Note: The product team is not looking to make any further changes to this Jam session timeout behavior any time soon.
re-login, session timeout, delete cookies, delete cache, browsing history, remember me, logout issue , KBA , LOD-SF-JAM-SSO , Single Sign On & Deeplink , Bug Filed