CTS-based sessions reside in the CTS token store and can be cached in memory on one or more AM servers to improve system performance.
If the session request is redirected to an AM server that does not have the session cached, that server must retrieve the session from the CTS token store.
AM sends a reference to the session to the client, but the reference does not contain any of the session state information. AM can modify a session during its lifetime without changing the client’s reference to the session.
During authentication, the session reference is returned to the client after a call to the
and stored in the
authId object of the JSON response.
AM maintains the authenticating user’s session in the CTS token store. After the authentication flow has completed, if the realm to which the user has authenticated is configured for client-based sessions, AM returns session state to the client and deletes the CTS-based session.
Authentication session allowlisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks. For more information about the allowlisting setting, see Trees.
Once the user is authenticated, the session reference is known as an SSO token.
For browser clients, AM sets a cookie in the browser that contains the session reference.
For REST clients, AM returns the session reference in response to calls to the
For more information about session cookies, see Sessions and cookies.