Server-side sessions reside in the CTS token store and can be cached in memory on one or more AM servers to improve system performance.
If the session request is redirected to an AM server that does not have the session cached, that server must retrieve the session from the CTS token store.
AM sends a reference to the session to the client, but the reference does not contain any of the session state information. AM can modify a session during its lifetime without changing the client’s reference to the session.
During authentication, the session reference is returned to the client after a call to the
and stored in the
authId object of the JSON response.
AM maintains the authenticating user’s session in the CTS token store. After the authentication flow has completed, if the realm to which the user has authenticated is configured for client-side sessions, AM returns session state to the client and deletes the server-side session.
Once the user is authenticated, the session reference is known as an SSO token.
For browser clients, AM sets a cookie in the browser that contains the session reference.
For REST clients, AM returns the session reference in response to calls to the