SSO Session Management and User Revocation

Velaro uses Microsoft Entra ID (Azure Active Directory) for Single Sign-On (SSO). This guide explains how sessions work, what happens when a user is disabled, and the fastest way to revoke access for a terminated employee.

---

How SSO Sessions Work

When a user signs in through SSO, Entra authenticates them and Velaro issues a session token valid for 1 hour. Velaro checks for a valid Entra account at each token renewal (every ~50 minutes).

This means two independent checks protect every session:

• Entra — validates the user's identity and organizational membership
• Velaro — validates the user's workspace account is active

---

What Happens When You Disable a User

Velaro checks the workspace account status on every API request, not just at login. When a user is marked as disabled in Velaro, their access is blocked within 2 minutes — even if they still have an active session open.

This check only applies to SSO users. Non-SSO (username/password) accounts follow standard session expiry.

---

Recommended Steps to Revoke Access

For the fastest, most complete revocation, follow this order:

1. Block in Entra (Azure AD)

Prevents any new sign-ins immediately. The user cannot obtain a new session once their current one expires.

2. Disable the user in Velaro

Go to Settings → Team Management and deactivate the workspace user. Velaro's per-request check will block their existing session within 2 minutes.

3. Optionally deactivate their team membership

Removes them from routing rules, team queues, and reporting. Recommended for clean offboarding.

---

Timeline Summary

---

Frequently Asked Questions

Can a terminated employee still use Velaro after their Entra account is blocked?

For a brief window (up to 2 minutes), if they already have an active Velaro session. Disabling them in Velaro alongside their Entra block closes this window.

What if I can only do one of the two steps?

Blocking in Entra alone stops new sessions but the current session may remain active up to 1 hour. Disabling in Velaro alone blocks the current session within 2 minutes but does not prevent a new sign-in if their Entra account is still active.

Does this apply to all users?

The 2-minute per-request check applies to SSO users only. Standard username/password accounts are governed by their session lifetime.

What about service keys and API integrations?

Service keys (used by integrations and the Velaro MCP) are separate from SSO sessions and must be revoked independently under Settings → API Keys if needed.