Identity Cloud

Suspended authentication

Suspended authentication lets you save a user’s progress through an authentication journey and later resume from the same point.

Any input provided during authentication is saved when the authentication journey is suspended and restored when the authentication journey is resumed. This lets the authentication journey continue if the user closes their browser, uses a different browser, or uses a different device.

When you suspend an authentication journey, you give the user a URL they must visit to resume their authentication. The URL contains a unique identifier for retrieving the saved progress and can only be used once. These URLs are sometimes referred to as magic links.

The Email Suspend node supports suspended authentication.

Typical use cases include passwordless authentication and email verification during progressive profile completion.

The following journey lets a user authenticate if they have forgotten their username:

The example

After obtaining the user’s email address in the Attribute Collector node, the journey attempts to identify the user. The journey then attempts to email the user and suspends itself.

Note both the True and False outcomes are mapped into the Email Suspend node to reduce potential data leakage. If the username is found, it is included in the email sent to the user, along with the link to use to resume the authentication journey.

When the user follows the link, the authentication journey resumes at the Inner Tree Evaluator node, which lets the user authenticate with their recovered username and credentials.

Configure suspended authentication timeouts

You can configure the length of time an authentication session can last so that resources can be freed up if authentication is not completed. You can also configure the length of time that a journey can be suspended.

Set these values to the minimum reasonable time required to complete the authentication. For example, if you are sending an email, 10 minutes might be reasonable.

The time allowed for suspending authentication must be the same as or less than the maximum duration of the journey.

To configure these timeouts, go to Authentication > Settings > Trees in the AM admin UI and set the Max duration and Suspended authentication duration properties. For information about these properties, refer to Trees.

Copyright © 2010-2022 ForgeRock, all rights reserved.