> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Limit concurrent user sessions

To limit the number of sessions a user can run at once, configure a Keycloak [authentication flow](https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/authentication/flows.html). The flow that you must configure depends on how you authenticate users:

* Configure a browser flow if you use local or LDAP/AD authentication.

* Configure a post-sign in client flow if you use SSO.

<Note>
  The browser flow is internal to Keycloak and can’t be modified, so you must make a copy of it first.
</Note>

In addition, to limit concurrent sessions for API access, you must set up a [Domino First Broker Login flow](#first-broker-flow-for-api-access).

You can [limit](/6.3/admin/identity-and-access/authentication/limit-sessions) the number of active user sessions that a user can have open at one time. When a user reaches the user session limit, they must end their current user sessions before they begin a new session. You can stop user sessions from the Keycloak admin console, or users can sign out on their own.

## Use Keycloak’s user management

Concurrent user session limits must be applied individually to each flow. If you have multiple clients or flows, you must add a concurrent user session limit for each one.

### Browser flow for Local and LDAP/AD authentication

1. Copy the default browser flow (this default flow can’t be customized directly).

2. Click the copy of the default flow.

3. Click the **Flow Name > Forms** row from XYZ.

4. From **Actions**, click **Add Execution**.

5. Click **User Session Count Limiter** if the limit should be applied to a single user. Click **Realm Session Count Limiter** if the limit should be applied to all the users in a realm. A realm is the Keycloak version of a tenant.

6. Return to the flow page.

7. Set the execution you created to **Required**.

8. From the **Actions** menu, click **Config**.

9. Create a name for the execution and configure the authenticator. For **User Session Count Limiter**, you can select **Deny new session** or **Terminate oldest session** as the desired behavior.

10. Click **Clients** > **domino-play**.

11. In **Authentication Flow Overrides**, from **Browser Flow**, click your copied browser flow, and click **Save**.

### First broker flow for API access

1. Copy the direct grant flow (this default flow can’t be customized directly).

2. Click the copy of the default flow.

3. Click **Add Execution** on the **Actions** menu.

4. Click **User Session Count Limiter** if the limit should be applied to a single user. Click **Realm Session Count Limiter**, if the limit should be applied to a group of users.

5. Return to the flow page.

6. Set the execution you just created to **Required** and click **Config** from the **Actions** menu in the same line.

7. Create a name for the execution and configure the authenticator. For **User Session Count Limiter**, you can select **Deny new session** or **Terminate oldest session** as the desired behavior.

8. Click **Clients** > **domino-play**.

9. In **Authentication Flow Overrides**, from **Direct Grant Flow**, click your copied direct grant flow, and click **Save**.

## SSO version

Unlike other kinds of flows, you can’t directly add a user session limit to a client authentication flow. However, you can still limit the number of user sessions if you add a flow that executes after the user signs in:

1. From the Keycloak sidebar, click **Authentication**.

2. Click **New** on the **Flow Definition** page.

3. Name the new flow, set the flow type to **generic** and click **Save**.

4. Click **Add Execution** on the **Actions** menu.

5. Click **User Session Count Limiter** if the limit should be applied to a single user. Click **Realm Session Count Limiter** if the limit should be applied to a group of users.

6. Return to the flow page.

7. Set the execution you just created to **Required** and click **Config** from the **Actions** menu in the same line.

8. Create a name for the execution and configure the authenticator. For **User Session Count Limiter**, you can select **Deny new session** or **Terminate oldest session** as the desired behavior.

9. From the sidebar, click **Identity Providers** and click your SSO provider.

10. Open the **Post Login Flow** menu and click the flow you just created.

11. Click **Save**.

## Next steps

* [Set up Keycloak](/6.3/admin/identity-and-access/authentication/keycloak-set-up)

* [Federated Authentication through an LDAP Active Directory Provider](/6.3/admin/identity-and-access/authentication/ldap-ad-federation)
