How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I authenticate to another chain but keep the same session token in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on authenticating to another chain (using ForceAuth) while keeping the same session tokenId in AM. Keeping the same session tokenId is often a requirement for audit purposes. Session upgrade using the ForceAuth parameter is only supported for server-side sessions (called CTS-based sessions in pre-AM 7.2).


The following example demonstrates a user authenticating to one chain and then doing a session upgrade to a second chain with the same session token. When the session is upgraded, the existing session token is checked to ensure it is valid and any existing session properties are copied across to the second chain. The authentication parameters required to achieve this are: sessionUpgradeSSOTokenId and ForceAuth.


You must ensure you use the correct case for the ForceAuth parameter; forceAuth=true will be ignored and the session token will change after you authenticate to the second chain.

This example uses a very simple authentication setup purely for demonstration purposes. You can adapt this to your environment as needed ensuring you use the same authentication parameters to retain the session token.

Example setup

  • Create two authentication modules: DataStore and LDAP.
  • Set different Authentication Levels for each module, for example:
    • DataStore: 10
    • LDAP: 20
  • Create authChain1 and add the DataStore module as required.
  • Create authChain2 and add the LDAP module as required.

Authenticating to another chain with same session token


Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

You can authenticate as follows:

  1. Authenticate to the first chain, for example: $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" Example response: { "tokenId": "35huKgysok9Sg2Uk-MqX6agOArM.*AAJTSQACMDEAAlNLABxJb29DZnN1R1VZU0xNRWd6NDdrTndHVzZzQ1U9AAR0eXBlAANDVFMAAlMxAAA.*", "successUrl": "/am/console", "realm": "/" }
  2. Perform a session upgrade (ForceAuth) to the second chain: $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1"*&ForceAuth=true Example response: { "tokenId": "35huKgysok9Sg2Uk-MqX6agOArM.*AAJTSQACMDEAAlNLABxJb29DZnN1R1VZU0xNRWd6NDdrTndHVzZzQ1U9AAR0eXBlAANDVFMAAlMxAAA.*", "successUrl": "/am/console", "realm": "/" }
  3. Observe that the session token has stayed the same in both responses.

See Also

How do I validate session tokens and obtain session details using the REST API in AM (All versions)?

FAQ: Core Token Service (CTS) and session high availability in AM

Best practice for configuring sessions in AM (All versions) to reduce the impact on the CTS store

Session upgrade

Authenticate with a browser

Related Training


Related Issue Tracker IDs

OPENAM-11015 (ForceAuth session upgrade does not work)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.