Identity Cloud

Configure client-side sessions

Identity Cloud uses two types of tokens that represent an exchange of information, usually interactive, between Identity Cloud and a user or entity:

  • Authentication sessions, which Identity Cloud uses to manage authentication journeys before a user has authenticated successfully.

  • Sessions, which Identity Cloud creates after a user has authenticated successfully. Sessions let Identity Cloud manage the user’s or entity’s access to resources.

You can configure Identity Cloud to use client-side or server-side authentication sessions and sessions.

This page covers how to configure Identity Cloud to use client-side authentication sessions and sessions.

Client-side authentication sessions

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Authentication > Settings.

  2. Switch to the Trees tab.

  3. From the Authentication session state management scheme drop-down list, select JWT.

  4. In the Max duration (minutes) field, adjust the maximum life of the authentication session in minutes.

  5. Save your changes.

When Identity Cloud creates tenant environments, it generates signing secrets: unique, secure, random values for signing authentication sessions.

To override the generated signing secret:

  1. On the Authentication - Settings page, switch to the Security tab.

  2. In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret at least 128 bits long.

    If you choose to override the generated signing secret, specify different values in your development, staging, and production tenant environments, so development sessions are not valid in your production environment, for example.
  3. Save your changes.

Client-side sessions

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Authentication > Settings.

  2. Switch to the General tab.

  3. Select Use Client-Side Sessions.

  4. Save your changes.

Verify client-side sessions

The service does not track client-side sessions:

  1. Authenticate to the realm configured for client-side sessions as a non-administrative user:

    $ curl \
    --request POST \
    --header 'Content-Type: application/json' \
    --header 'X-OpenAM-Username: <non-admin-username>' \
    --header 'X-OpenAM-Password: <non-admin-password>' \
    --header 'Accept-API-Version: resource=2.0, protocol=1.0' \
    'https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/authenticate'
    {
        "tokenId":"<token-id>",
        "successUrl": "/enduser/?realm=/alpha",
        "realm":"/alpha"
    }
  2. Under Native Consoles > Access Management, go to Realms > Realm Name > Identities > Username to find the user identifier at the top of the profile page; for example:

    The profile page shows the user identifier.
  3. Go to Realms > Realm Name > Sessions.

    With the user identifier, search for the session. You should find no sessions for the non-administrative user:

    The service does not track client-side sessions.
Copyright © 2010-2024 ForgeRock, all rights reserved.