Identity Cloud

Configure client-side sessions

Client-side sessions require additional configuration in your environment to keep the sessions safe. You should ensure that the JWT that stores the session state is signed using a base-64 encoded HMAC secret.

Configure client-side authentication sessions

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Settings > Trees.

  2. From the Authentication session state management scheme drop-down list, select JWT.

  3. In the Max duration (minutes) field, enter the maximum life of the authentication session in minutes.

  4. Save your changes.

  5. Go to Authentication > Settings > Security.

  6. In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret that AM uses to sign an ID for server-side authentication sessions, or for client-side, the JWT that is passed back and forth between the client and AM during the authentication process. The secret must be at least 128-bits in length.

    A unique, securely-random value for this signing secret was generated when your environment was created. If you choose to override that value, you must also make the value unique for your development, staging and production environments, so that a development session is not valid on your production environment.
  7. Save your changes.

Configure client-side session tokens

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Settings > General.

  2. Select the Use Client-Side Sessions check box.

  3. Save your changes.

  4. To check that AM creates a client-side session, and no longer stores the session on the server:

    1. Authenticate to AM as a non-administrative user in the realm you enabled for client-side sessions.

    2. In a different browser, authenticate to AM as an administrative user.

    3. Go to Realms > Realm Name > Sessions.

    4. Search for the session in the AM admin UI. Verify that no active server-side sessions are found for the non-administrative user.

Copyright © 2010-2022 ForgeRock, all rights reserved.