Configuring CTS-Based Sessions
By default, AM configures the CTS token store schema in the AM configuration store. Before configuring your AM deployment to use CTS-based sessions or authentication sessions, we recommend you install and configure an external CTS token store. For more information, see Core Token Service Guide (CTS).
CTS-based sessions and authentication sessions benefit from configuring sticky load balancing. For more information, see Load Balancers.
To configure CTS-based sessions and authentication sessions, see the following procedures:
Important
Configuring storage location for authentication sessions is only supported for authentication trees. Authentication chains always store authentication sessions in AM's memory. For more information, see Introducing Sessions.
Log in to the AM console as an administrative user. For example,
amAdmin
.Navigate to Realms > Realm Name > Authentication > Settings > Trees.
From the Authentication session state management scheme drop-down list, select
CTS
.In the Max duration (minutes) field, enter the maximum life of the authentication session in minutes.
Save your changes.
Navigate to Configure > Authentication > Core > Security.
In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret that AM uses to sign the JWT that is passed back and forth between the client and AM during the authentication process. The secret must be at least 128-bits in length.
Save your changes.
Log in to the AM console as an administrative user. For example,
amAdmin
.Navigate to Realms > Realm Name > Authentication > Settings > General.
Ensure the Use Client-based Sessions check box is not selected.
Save your changes.
Verify that AM creates a CTS-based session when non-administrative users authenticate to the realm. Perform the following steps:
Authenticate to AM as a non-administrative user in the realm you enabled for CTS-based sessions.
In a different browser, authenticate to AM as an administrative user. For example,
amAdmin
.Navigate to Realms > Realm Name > Sessions.
Verify that a session is present for the non-administrative user.