Hi all,

We use Keycloak 23.07 with Aerobase 2.17 as part of our application/solution.

One of our customers, is having a an issue, which we cannot simulate internally, regarding their User Sessions.

The customer has Azure SAML 2.0 SSO setup integration with Keycloak which they use for their logins. They have about 35k on average users that login daily, Per expected behavior, each login creates its respective user session. However, upon re-starting our application and logging in again, a new user session can be seen in Aerobase, in stead of the old one being updated/overwritten.

This causes a stacking accumulation of user sessions and entries in the DB, and which point they almost reached 2M users sessions shown in Aerobase (and respectively 2M rows in the DB). This causes both the application Server and DB server memory utilization to spike quite high, which forced a manual Log-out of all user sessions to be needed. Afterwards a steady accumulation of the sessions was seen again.

Below are the token settings we applied to their Realm:

After the 3 days that we set, we still did not see any decrease in the active sessions. Per the Aerobase documentation, these should be affecting the SSO and User Sessions, correct? The previous settings were set to 999 in stead of 3 as part of another solution a long time ago. Do the sessions need to be cleared/logged out manually for the new ones to take effect?

In the logs, we don't see any related errors or abnormalities.

Could anyone please let us know if these are the correct settings we should be looking at, or if perhaps this is a known issue?

For a bit more context, the customer's clients from where the logins are initialized are located on a Citrix environment, which means that after a user logs out of a Citrix sessions, and comes back (let's say the next day), their Citrix environment/workspace gets "rebuilt" fresh. Maybe this causes the token/session to be stuck because of the 999 days SSO timeout, while being a new citrix session creates a new token every time?

Would appreciate any details you can provide us regarding the User Session mechanism with SSO and with ways we can prevent the overflowing count of user sessions being retained.

Thank you in advance!