You should debug at RegisterSessionAuthenticationStrategy to check what really happens

You are loggin with a single account, but the external authz server knows nothing about controlling concurrent session in your service. It return you two different Authentication objects.

If possible, Try to implement you own Authentication and override hashCode and equals.