Revoking tokens in Cloudflare Access for a given application is not working.
What steps have you taken to resolve the issue?
I’ve clicked the “Revoke existing tokens” button multiple times and also set the session to expire immediately on two separate applications and still I continue to be logged in.
Have you done a capture on the SAML authentication when revoked? If the user still has a valid global session token then individual application with reauth…
The user can access the application for the entire duration of the application token’s lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user’s identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.
The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application.