DOM Customer Portal / Security Advisories / Session Persistence After SSO Expiry

Session Persistence After SSO Expiry (DOM-26-003)


Summary

With SSO (OpenID Connect) authentication, the local session could outlive the SSO session. After the SSO session expired or was revoked (for example, when offboarding a user), the local session stayed valid until its own expiry, allowing continued access.

Only installations using SSO are affected. Local-authentication-only installations are not.

The fix shipped in v25.12 (December 2025); this advisory is being published now as part of a consolidated disclosure.

Solution

Users should update to v25.12 or later.

Mitigations

For users unable to upgrade:

  • Disable the user account in Digi On-Prem Manager when revoking SSO access
  • Enable session IP locking (login.session_ip_lock), which binds a session to the IP address it was created from

Affected Versions

  • Digi On-Prem Manager versions before v25.12 with SSO enabled

Advisory Details

Severity

5.4 Medium

Discovered

Dec 18, 2025

Published

Jun 3, 2026

CVSS Score

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N