Remember-Me in authentication flows

The Airlock IAM Remember-Me solution allows simplifying authentication flows for the users based on persistent cookies stored in the user's web browser (or any other client).

When activated, it stores a persistent cookie in the browser after the end-user has been authenticated. The cookie is then processed in subsequent sessions to re-identify the user and may be used for simplifying the authentication flow, e.g., skip the password check.

Note that there is a self-service that allows end-users to view and manage their stored remember-me tokens.

  • Typical use-cases for the features are:
  • Skip the 1st authentication step by checking a keep me logged-in checkbox on the login page.
  • Skip the 2nd authentication step by checking a trust this browser checkbox on the 2nd-factor page.

The Remember-Me feature is both available in the JSP-Loginapp and the Loginapp REST UI.

This article is only valid for the Loginapp REST UI and the Loginapp REST API.

For more information about the JSP-Loginapp solution, see Remember-Me (keep me logged in) with JSP-Loginapp.

Implementation overview

  • The Remember-Me feature is implemented by the following two authentication flow steps:
  • Remember-Me User Identifying Step – this step verifies the Remember-Me cookie, identifies the user, and issues tags that can be used to simplify the authentication flow.
  • Remember-Me Token Generating Step – this step generates the cookie with the Remember-Me token. It is in the authentication flow after authenticating the user and is typically activated using the dynamic step activation (DSA) feature.

In addition to using the steps in an authentication flow, the logout behavior configuration determines what to do if a user explicitly logs out, i.e. clicks on a logout button or link. Depending on the use case one of the following behaviors is required:

  1. REMOVE_COOKIE – removes the cookie when pressing the logout button so that the user has to be fully re-authenticated in the next session. This behavior is the default and typically used if the Remember-Me feature is used to skip the password check.
  2. KEEP_COOKIE – this lets the cookie untouched when pressing the logout button such that it can still be used in the next session. This behavior is, for example, used when using the Remember-Me feature to skip the 2nd authentication factor.

Limitations

  • Only one Remember-Me cookie can be stored in a browser/device for all authentication flows. The Remember-Me steps may be used in several flows but all refer to the same cookie. This requires only one Remember-Me configuration for all flows.
  • Only one user can be identified by a Remember-Me cookie. When another user logs in using the same browser/device, the Remember-Me cookie in the browser's cookie store is overwritten.
  • So far limited management capabilities have been implemented. The user management in the Adminapp is limited to see whether a user has stored logins at all and a button to invalidate all stored logins of the user.
  • The REST API has been designed for clients with built-in cookie support.

Remember-Me token migration

Remember-Me tokens issued by the JSP-Loginapp are accepted by the Remember-Me feature of the Loginapp REST UI (but not vice versa). Thus, when migrating to the new login application, users can still profit from Remember-Me tokens and do not have to fully authenticate themselves.

To enable token migration, the JSP-Loginapp's Remember-Me settings must be referenced in the authentication flow configuration's Remember-Me settings.