Terminate Active User Sessions on User Role Change Events through the WSO2 Identity Sever

Dehami Koswatte
3 min readSep 23, 2021


Session Termination through WSO2 Identity Server

The WSO2 Identity Server serves many purposes as you have seen in its docs. Yet, there are edge cases that require customization. This blog guides you how on how you can terminate active user sessions on user role change events. As a solution for the scenario above, I have written a small extension that captures role change events and terminates the user/s active session/s.

Flow Design

First, let’s take a quick peek at the design of this extension based on the diagram below. It shows a high-level flow design of the extension while the descriptions shed light on each step.

Extension Flow Design Diagram

You can find the source code for the above at GitHub, and if you want to know about backchannel log out, please refer to this Medium article. The diagram is quite self-explanatory hence, I’ll move onto the sophisticated part which is to configure the extension and execute a sample scenario.

Configuring the Extension

Start Configuring
  • Download the Identity Server from the official site. Hereafter the location of the Identity Server will be referred to as <IS_HOME>.

Setting Up the Extension

  • Clone the project by executing the command git clone https://github.com/deshankoswatte/identity-event-handler-session-termination.git.
  • Open and build the project by executing the command mvn clean install.
  • After successfully building the project, copy the artifacts, com.wso2.session.termination.handler-1.0.0.jar and com.wso2.common-1.0.0-SNAPSHOT.jar and paste them inside the <IS HOME>/repository/components/dropins folder.

Setting Up the Identity Server

  • Open the deployment.toml file located at <IS_HOME>/repository/conf/ and append the following lines to register the event handler, and its subscriptions.
Event Handler Properties
  • Start the WSO2 Identity Server by executing the command sh wso2server.sh in the <IS-HOME>/bin folder.
  • Navigate to the Management Console by accessing the link https://localhost:9443/carbon/admin/login.jsp and log in by providing the admin credentials.
  • Create a few roles and role-assigned users by following the guide in the official documentation.
  • Create the service providers for pickup-dispatch and pickup-manager with the help of the Medium article.

Try out the Scenario

Try Out
  1. Login to the pickup-dispatch and pickup-manager with a role specified user using Single Sign-On.
  2. Go to the Management Console and remove the role from that specific user.
  3. You can see that the pickup-dispatch and pickup-manager application will get logged out using backchannel log out.

Further Notes

This extension can also be used with other events by accompanying minor changes to source code.

Thank you Guys! I’ll see you in another blog.

Done and Dusted



Dehami Koswatte

Undergraduate at University of Westminster, Former Trainee Software Engineer @wso2