Session based authorization

My application, for now, have 2 types of users Admin and User.

While Admin has full access. The User enters my website from an outside website by a link.
for example
Then, I redirect to keylock for authentication (LDAP or Custom OpenId provider).

I want to enforce that the user can only make requests for that specific id for the entire session.
If he wants to change is resource ID he will need to return to the external system for a new link.

This means that he will only see things related to id 123.
I want to prevent cases when he changes the id and uses the same token

How is that can be done?
Thank you