Configuring Authentication Session Whitelisting

Enable authentication session whitelisting to protect authentication sessions from replay attacks.

When authentication session whitelisting is enabled, AM generates a key-value pair for each authentication session and stores it for the length of the authentication flow in the following ways:

  • For client-based authentication sessions, AM stores the key-value pair in the CTS token store.

  • For CTS-based authentication sessions, AM creates the key-value pair as a session property in the authentication session.

  • For in-memory sessions, AM creates the key-value pair as a session property in the authentication session.

Each time the authentication flow reaches an authentication node, AM modifies the value of the stored key-value pair and sends it to the user or client that it is authenticating. The next request to AM to continue the authentication flow must contain the key-value pair and must match the value expected by AM.

If the authenticating user or client cannot provide the key-value pair with the values AM expects, AM would not continue the authentication flow, therefore protecting the authentication flow against malicious users wanting to rewind the authentication flow to a previous node.

Perform the following steps to configure authentication session whitelisting:

To Configure Authentication Session Whitelisting

  1. Navigate to Realms > Realm Name > Authentication > Settings > Trees.

  2. Select Enable whitelisting.

  3. Save your changes.

Read a different version of :