My application is deployed in IIS which has plugins to connect to websphere where my application servers are spinned up. Websphere connects to LDAP for user auth. I have a requirement to have ONLY one user session allowed through websphere. If same user identity tries to login again on the same or other device or anywhere there should be some setting / configuration in websphere should prohibit user to make second session. Any direction on this matter will be helpful.
If you are using standard WAS security with form based login, you could take a look into this Redbook WebSphere Application Server V7.0 Security Guide. In the chapter "8.8 Customizing the login process" it shows filter that you could use for customizing login process. More detailed approach is also shown here https://www.ibm.com/docs/en/was-nd/8.5.5?topic=login-developing-servlet-filters-form-processing
In very high level:
This is very high level and you need to design it correctly to not lock out your users. E.g. user accidentally closing his browser would result with having to wait for the timeout before being able to log in again.
Another approach could be to logout any existing sessions, and log in just new user, but that approach requires you to have distributed session invalidation, which is also not an easy design.
So in short, I'd think twice if it is really required feature before implementing it, as it adds a lot of complexity to your applicaion ;-)