We are currently not updating the SSO info at reconnect, which means that if a user has changed password since session was started, for example via ssh-keyboard-interactive in the ThinLinc client, SSO will not work as the stored password/pin/whatever is not updated.
This will probably require a new XMLRPC call being implemented in VSM Agent where we tell the agent that a reconnect is about to happen.
Another approach would be to have an XMLRPC call that only sets SSO info for the user, and call that after the session has been created, and at reconnect.
This is also a problem when a user authenticates using different methods eg. smartcard vs. password. A typical scenario is using HTML5 client with password and reconnect using smartcard when using native client.