We have a web-app which uses federated authentication to authenticate users. Data for the Fed Auth are obtained from the Active Directory service.
One of the system's requirements is to have a "Last log in date" saved in the web-app, but the application is not performing any log in operation. It just checks if the incoming request if allowed to perform requested operation, based on the AD credentials.
Have you ever encountered such a requirement in a similar scenario? What was your approach to the problem? We thought about creating user session on the first request and treat the session creation point as the log in date. This seemed as a bad idea, as we don't want to use user-session at all, and it would be the only scenario utilizing it.
Another approach we were thinking about was to use client to tell us if he is logging in or not, for example by making a special "mock" request, which on the web-app would be treated as the log in. This also seems bad, because in that case we have to trust the client to be telling the truth, which basically looks like a major vulnerability.
I am aware that this requirement makes little sense in such environment, but that is something I can't argue with right now, that's why I am trying to find most reasonable solution to that situation.
Thanks for all the suggestions in advance.