RDM reauthentication each time PAM entry accessed when ‘Force prompt login’ enabled in the Hub/Cloud
Hello,
When ‘Force prompt login’ is enabled in the Hub/Cloud settings, it seems to cause RDM to prompt for SSO re-authentication every time a ‘Devolutions Cloud privileged account’ credential is used/viewed.
Please let me know if any additional information is required.
Thanks
Joe
Hello Joe,
Thank you for the detailed report.
I checked this flow with our RDM development team.
The re-prompt you are seeing is expected under the current design, not a defect.
Here is what happens under the hood.
When you use a Devolutions Cloud privileged account entry to view or fetch a credential, RDM opens a temporary background connection to Hub.
That background connection runs its own sign-in flow.
It reads the "Force prompt login" setting from the workspace and honours it.
Every credential use spins up a new connection, so every use re-prompts.
The setting is doing exactly what it promises.
The credential resolver just uses a second connection instead of reusing the one you already signed into.
We have logged an internal improvement so the resolver reuses your existing Hub session.
The change requires an architectural update in the RDM client.
Please do not expect a fix in a short release.
In the meantime, two paths will keep the workflow moving.
First, you can disable "Force prompt login" in Hub, under Administration, Access and authentication, General.
That clears the re-prompt.
It also removes the enforced re-prompt for other sessions, so use it only if that trade-off works for your security posture.
Second, if "Force prompt login" must stay on, skip the "Devolutions Cloud privileged account" credential-entry type entirely.
On the RDP session entry itself, link the privileged account directly from the workspace's PAM provider.
The checkout then happens on the workspace itself.
The credential resolution stays inside your primary Hub session.
No temporary background connection is spawned.
This is the recommended path when "Force prompt login" must stay enabled.
Best regards,
AI Maturity Survey — 2 minutes of your time.
Enter to win a $1,000 CAD Amazon gift card or a Mindstone training course.
https://survey.alchemer-ca.com/s3/50606209/d87f0b7d503e
Patrick Ouimet
Hi Patrick,
Thank you for the detailed explanation of why the duplicate reauthentication prompt occurs.
Regarding the provided work arounds:
1) Disabling the 'Force prompt login' setting potentially results in a 'session hijacking' security exposure whereby an existing token could be used to gain access to the workspace
2) Explicitly linking the 'Devolutions Cloud privileged account' entry/credential to session entries (i.e. RDP, Web, SSH etc) is incompatible with shared vault workflows where each user has their own unique PAM account/s. Doing so would result in having to create duplicate session entries, each linked to a different users' PAM credential.
While it is understandable that possibly in the interest of development effort, the current architecture may have been done in such a way as to use a second temporary background connection to the workspace, that approach unfortunately results in an extremely poor user experience, i.e. having to reauthenticate up to 50 times a day.
In this context, and due to the behavior being specific to 'Devolutions Cloud privileged account' type entries, can you ask the development team to re-assess classifying this limitation as being 'by design', to instead be recognized as a bug warranting an expedited fix?
Please let me know if you would like any additional information.
Thanks
Joe