...
A new condition (actually a BiPredicate) attached to login flows (usuallly usually globally via some simple properties) determines whether a particular AuthenticationResult is revoked, and if configured to do so the IdP will check this condition before allowing an existing result from a previous login to be reused.
...