Rate this page

Session Management

The Ping Identity Data Governance Broker session management sub-resource allows a privileged client to manage an end user’s active login sessions at the Data Governance Broker.

When a user authenticates through the Data Governance Broker’s authorization endpoint using a web browser, a cookie is created on the user’s browser; this cookie references a session that is persisted to the Data Governance Broker’s user store. The session information contains data about the user-agent, IP address, and authentication methods.

The following table describes the fields of a single session resource.

Field Type Provided? Description
schemas array always The SCIM schema of the session resource. Always has the value urn:pingidentity:scim:api:messages:2.0:session.
meta complex always Will always contain a resourceType sub-attribute with the value Session. Will always contain a location attribute with the session resource’s canonical URI.
id string always The session ID.
lastLoginMethods array always The authentication methods successfully used during the last login event.
lastSecondFactorMethods array always The authentication methods successfully used during the last second factor event.
lastLogin string always The last time of a successful login event.
lastSecondFactor string always The last time of a successful second factor event.
ipAddress string always The IP address of the user agent that was used to perform the authentication.
userAgentString string always The User-Agent string of the user-agent that was used when this session was created.

Retrieve a user’s sessions

GET /scim/v2/Users/{id}/sessions

GET /scim/v2/Me/sessions

This retrieves a user’s active sessions.

The response is formatted as a list response containing zero or more matching session resources in the Resources field. If the request was valid, then the response will always use a 200 status code, even if no matching resources are found.

Example request:

GET /scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions HTTP/1.1
Accept: application/scim+json
Authorization: Bearer AUYsTbtwMNEjWj...
Content-Type: application/scim+json
Host: example.com:443

Example response:

HTTP/1.1 200 OK
Content-Length: 1201
Content-Type: application/scim+json
Date: Thu, 09 Jun 2016 23:26:35 GMT

{
    "Resources": [
        {
            "id": "s.xEuX6Q",
            "ipAddress": "192.168.201.66", 
            "lastLogin": "2016-06-09T04:11:20.998Z", 
            "lastLoginMethods": [
                "password"
            ], 
            "meta": {
                "location": "https://example.com/scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.xEuX6Q", 
                "resourceType": "Session"
            }, 
            "schemas": [
                "urn:pingidentity:scim:api:messages:2.0:session"
            ], 
            "userAgentString": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17"
        }, 
        {
            "id": "s.r77kLQ",
            "ipAddress": "192.168.201.66", 
            "lastLogin": "2016-06-09T20:47:55.446Z", 
            "lastLoginMethods": [
                "password"
            ], 
            "meta": {
                "location": "https://example.com/scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.r77kLQ", 
                "resourceType": "Session"
            }, 
            "schemas": [
                "urn:pingidentity:scim:api:messages:2.0:session"
            ], 
            "userAgentString": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
        }
    ], 
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ], 
    "totalResults": 2
}

Search for a user’s sessions (GET)

GET /scim/v2/Users/{id}/sessions?filter={filter}

GET /scim/v2/Me/sessions?filter={filter}

A client may filter for a single user’s matching sessions by performing a GET and providing a filter query parameter. Pagination parameters may also be provided. The filter format is described in the Searching section.

The response is formatted as a list response containing zero or more matching session resources in the Resources field. If the request was valid, then the response will always use a 200 status code, even if no matching resources are found.

Example request using the filter userAgentString co "Chrome":

GET /scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions?filter=userAgentString%20co%20%22Chrome%22 HTTP/1.1
Accept: application/scim+json
Authorization: Bearer AUYsTbtwMNEjWj...
Content-Length: 126
Content-Type: application/scim+json
Host: example.com:443

Example response:

HTTP/1.1 200 OK
Content-Length: 650
Content-Type: application/scim+json
Date: Thu, 09 Jun 2016 23:04:48 GMT

{
    "Resources": [
        {
            "id": "s.r77kLQ",
            "ipAddress": "192.168.201.66", 
            "lastLogin": "2016-06-09T20:47:55.446Z", 
            "lastLoginMethods": [
                "password"
            ], 
            "meta": {
                "location": "https://example.com/scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.r77kLQ", 
                "resourceType": "SessionMetadata"
            }, 
            "schemas": [
                "urn:pingidentity:scim:api:messages:2.0:session"
            ], 
            "userAgentString": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
        }
    ], 
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ], 
    "totalResults": 1
}

Search for a user’s sessions (POST)

POST /scim/v2/Users/{id}/sessions/.search

POST /scim/v2/Me/sessions/.search

A client may filter for a single user’s matching sessions by performing a POST against the special .search endpoint and providing a filter value. Pagination directives may also be provided. The filter format is described in the Searching section.

The response is formatted as a list response containing zero or more matching session resources in the Resources field. If the request was valid, then the response will always use a 200 status code, even if no matching resources are found.

Example request using the filter userAgentString co "Chrome":

POST /scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/.search HTTP/1.1
Accept: application/scim+json
Authorization: Bearer AUYsTbtwMNEjWj...
Content-Type: application/scim+json
Host: example.com:443

{
    "filter": "userAgentString co \"Chrome\""
}

Example response:

HTTP/1.1 200 OK
Content-Length: 650
Content-Type: application/scim+json
Date: Thu, 09 Jun 2016 23:04:48 GMT

{
    "Resources": [
        {
            "id": "s.r77kLQ",
            "ipAddress": "192.168.201.66",
            "lastLogin": "2016-06-09T20:47:55.446Z",
            "lastLoginMethods": [
                "password"
            ],
            "meta": {
                "location": "https://example.com/scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.r77kLQ",
                "resourceType": "SessionMetadata"
            },
            "schemas": [
                "urn:pingidentity:scim:api:messages:2.0:session"
            ],
            "userAgentString": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 1
}

Retrieve a specific session

GET /scim/v2/Users/{id}/sessions/{sessionId}

GET /scim/v2/Me/sessions/{sessionId}

A client may request a specific session resource by providing the session’s ID.

Example request:

GET /scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.xEuX6Q HTTP/1.1
Accept: application/scim+json
Authorization: Bearer AUYsTbtwMNEjWj...
Content-Type: application/scim+json
Host: example.com:443

Example response:

HTTP/1.1 200 OK
Content-Length: 444
Content-Type: application/scim+json
Date: Thu, 09 Jun 2016 23:31:45 GMT

{
    "id": "s.xEuX6Q",
    "ipAddress": "192.168.201.66", 
    "lastLogin": "2016-06-09T04:11:20.998Z", 
    "lastLoginMethods": [
        "password"
    ], 
    "lastSecondFactorMethods": [],
    "schemas": [
        "urn:pingidentity:scim:api:messages:2.0:session"
    ], 
    "userAgentString": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17"
}

Delete a specific session

DELETE /scim/v2/Users/{id}/sessions/{sessionId}

DELETE /scim/v2/Me/sessions/{sessionId}

A client may destroy a session by using the DELETE method and providing a specific session ID. After a session is deleted, it is no longer valid; however, access tokens associated with the session will remain active.

Example request:

DELETE /scim/v2/Users/1c588695-c3d9-4215-8f23-8e3c8f419492/sessions/s.xEuX6Q HTTP/1.1
Accept: application/scim+json
Authorization: Bearer AUYsTbtwMNEjWj...
Content-Length: 0
Content-Type: application/scim+json
Host: example.com:443

Example response:

HTTP/1.1 204 No Content
Date: Thu, 09 Jun 2016 23:33:59 GMT