Users are logging in to PAM using SSO (SAML authentication), e.g. with Azure as an IdP. Rather than having the PAM client installed on their local desktop, users access a Citrix Desktop and launch the PAM client from there. Sometimes, instead of being redirected to the IdP for authentication, the PAM client automatically logs on to PAM with the credentials of the previous Citrix Desktop user.  

Affects releases 4.1.2-4.1.5

PAM 4.1.2 included an upgrade of JxBrowser, the browser used by the PAM client. The newer release by default supports reuse of a previously established security context for the client. For a PAM client installed on a user's desktop this actually provides better SSO experience. But it causes an obvious problem when a different user launches the same PAM client.

This problem is fixed in PAM 4.1.6 and newer releases, see the following item at the bottom of page Resolved Issues in 4.1.6:

33578010    DE582477    SSO sessions are being reused by other users.

If you have this problem and cannot upgrade to 4.1.6+ yet, please open a case with PAM Support.

The fix affects local PAM client installations on user laptops as well. The PAM client consistently will request new authentication by the IdP even when the same user launches the client multiple times on a personal desktop or laptop, and not allow reuse of a previously established security context for this client.