Most gateways verify a user once at login and then assume the session can be trusted until it expires. That assumption is comfortable — and expensive when it fails.
Cookies get stolen and replayed from another country. Browser sessions get hijacked while users are logged in. A single privileged account gets shared by three administrators. A user who started a session on a trusted device walks away and leaves it open on a coffee-shop laptop. None of these moments triggers a fresh login, so none of them is caught by a login-time-only trust model.
The other extreme — short, frequent re-authentication — punishes legitimate users without actually solving the problem, because the time between two challenges is still a window where anything can happen.
Trust earned at login should be continuously re-evaluated as the session progresses — quietly when everything looks normal, decisively the moment it doesn't.
Sessions are bound, watched, limited, and ended through one engine.
At login, the session is bound to the user's IP, user agent, and device fingerprint. Every subsequent request is checked against those bindings. A mismatch is not silently ignored — it triggers a binding-anomaly flow that can re-authenticate, restrict, or terminate the session based on policy.
When access policy changes, an attribute is updated, or risk increases mid-session, AAM can force a session re-sync — refreshing the trust context, re-evaluating the conditional access policy, and applying the new rules without making the user start over from the login page.
A single user cannot have an unlimited number of active sessions. Limits are configurable per user group and per service, so a privileged account cannot quietly be shared by three operators and a contractor laptop cannot fan out into a dozen parallel logins.
A logout from one application clears the session at the gateway and propagates through every connected service. Stolen tokens become useless, partial sign-outs do not leave background tabs authenticated, and end-of-day sign-out actually ends the day.
The session controls that turn one-time login into continuous trust — plus the signals on the roadmap that will deepen it.
Every authenticated session is bound to the original IP, the user agent, and a device fingerprint computed at login. A mismatch on any of these signals routes the session through a binding-anomaly flow: re-authenticate, restrict to safe resources, terminate, or log and alert — driven by the conditional access policy for that service.
When the policy that authorized a session changes, when an attribute is updated, or when an external signal demands it, AAM can force a session re-sync. The trust context is rebuilt, the conditional access policy is re-evaluated, and the session continues — without forcing the user to repeat login or lose their work in progress.
Sessions expire on two clocks: an idle timeout that runs whenever the user is inactive, and an absolute timeout that runs regardless of activity. Both are configurable per service group, so a low-risk intranet app can stay open all day while a privileged admin session expires after a short window of inactivity.
Administrators set the maximum number of active sessions per user, per group, or per service. When the limit is reached, a new login can either be refused, replace the oldest session, or require explicit confirmation — preventing silent account sharing and surfacing unusual login bursts immediately.
Logging out from one application triggers a clean session termination at the gateway, which then propagates through every connected service. There is no orphaned session left active in another tab, no token still valid in a forgotten browser, and no partial sign-out that the user thought was complete.
If a session is temporarily lost — a brief storage hiccup, a forced re-sync, a network outage — the user lands on a recovery page that re-authenticates them and restores their context. The flow is deliberate and audited, not a silent re-login, so a recovery attempt by an attacker would never blend into normal traffic.
A planned trust-score engine will combine multiple live signals — binding match strength, dwell time, click cadence, navigation pattern, endpoint trust input, geographic stability — into a single continuous score that drives policy decisions. Today the same signals are evaluated discretely through binding mismatches, lifecycle timers, and re-sync events; the score will collapse them into one tunable number.
Behavioral baselines (typing rhythm, navigation pattern, time-of-day, asset access order) are on the roadmap as additional signals to the trust-score engine. The goal is not to fingerprint users invasively but to surface clear deviations — a user who never touches the finance app suddenly downloading every report — as anomalies that step up trust requirements.
The plumbing that makes continuous evaluation reliable, fast, and auditable.
Session state lives in Redis so any gateway pod can pick up any session at any step. Binding checks, re-sync triggers, and concurrent-session counts stay consistent across horizontally-scaled deployments without coordination overhead between pods.
Every session event — bind, mismatch detected, re-sync forced, timeout fired, concurrent limit hit, sign-out — writes a structured audit entry with timestamp, source IP, user agent, and outcome. Sessions can be reconstructed in one timeline from the audit log, and the stream forwards into the platform's SIEM streaming target.
When a session needs to step up — risk rose, the user reached a higher-sensitivity resource, the policy demands it — the trust evaluator hands off to the MFA action inside the conditional access policy. The user only handles the additional factor; the session itself continues without a fresh login.
Instead of dropping a session outright when trust degrades, policy can downgrade it to read-only — letting the user continue viewing what they were doing while preventing any destructive operation. The user sees a clear advisory; the security team sees the decision in the audit stream.
Native input from the endpoint trust manager (ETM) is on the roadmap so device-posture changes — disk encryption disabled, AV signature drift, jailbreak detected — feed directly into the session's trust evaluation. Today the same signals flow in via request headers; the native path will make the integration tighter and lower-latency.
A live session dashboard is planned so administrators can see active sessions per user and per asset, drill into the binding state and audit timeline, and force re-sync, step-up, or termination from the same view. Until it ships, the same operations run through the gateway admin API.
An attacker who exfiltrates a session cookie and replays it from another network and browser is caught by binding mismatch the moment the first request hits the gateway — without waiting for the user's next login.
A privileged operator whose source IP changes country mid-session is stepped up to MFA before the next sensitive action; an endpoint that drops out of managed posture has its session downgraded to read-only until the device is back in compliance.
A single privileged account that three operators are quietly sharing is surfaced by the concurrent-session limit and the audit timeline — visible from one query without anyone having to admit they were sharing the credentials.
PCI-DSS, HIPAA, and ISO 27001 audits ask for evidence that privileged sessions are bounded, monitored, and cleanly terminated. Per-event audit gives one timeline per session that the auditor can replay without manual reconstruction.
One engine for binding, lifecycle, concurrent limits, and sign-out — with every session event audited. We'll walk through a live deployment on your applications.