Identity Cloud

Suspended authentication

Suspended authentication lets you save a user’s progress through an authentication journey, and later resume from the same point.

Any input provided during authentication is saved when the authentication journey is suspended, and restored when the authentication journey is resumed. This lets the authentication journey continue after closing the browser, using a different browser, or even on a different device.

When suspending an authentication journey, you provide the user with a URL they must visit to resume their authentication. That URL contains a unique identifier for retrieving the saved progress, and can only be used once. These URLs are sometimes referred to as magic links.

The Email Suspend node supports suspended authentication.

Typical use cases include passwordless authentication, and email verification during progressive profile completion.

The following example lets a user authenticate if they have forgotten their username:

The example

After obtaining the user’s email address in the Attribute Collector node, the example journey attempts to identify the user. Then, the journey attempts to email the user, and suspends itself.

Note that both the True and False outcomes are mapped into the Email Suspend node to reduce potential data leakage. If the username is found, it is included in the email sent to the user, along with the link to use to resume the authentication journey.

When the user follows the link, the authentication journey resumes at the Inner Tree Evaluator node, which lets the user authenticate with their recovered username and credentials.

Configure suspended authentication

You can configure the length of time an authentication session can last for in AM, so that resources can be freed up from incomplete authentications. You can also configure the length of time that a journey can be suspended.

You should set this value to the minimum reasonable time required to complete the authentication. For example, if you are sending an email, 10 minutes might be reasonable. The time allowed for suspending authentication must be the same as or less than the maximum duration for the journey.

To configure these timeouts, in the AM admin UI, go to Authentication > Settings > Trees. For more information about the properties, see Trees.

Copyright © 2010-2022 ForgeRock, all rights reserved.