Remember-Me in authentication flows

The Airlock IAM Remember-Me solution allows for simplifying authentication flows for the users based on persistent cookies stored in the user's web browser (or any other client).

When activated, it stores a persistent cookie in the browser after the end-user has been authenticated. The cookie is then processed in subsequent sessions to re-identify the user and may be used for simplifying the authentication flow, e.g., skip the password check.

Note that a self-service allows end-users to view and manage their stored remember-me tokens.

• Typical use-cases for the features are:
• Skip the 1st authentication step by checking a keep me logged-in checkbox on the login page.
• Skip the 2nd authentication step by checking a trust this browser checkbox on the 2nd-factor page.

• The following two authentication flow steps implement the Remember-Me feature:
• Remember-Me User Identifying Step – verifies the Remember-Me cookie, identifies the user, and issues tags that can be used to simplify the authentication flow.
• Remember-Me Token Generating Step – generates the cookie with the Remember-Me token. It is in the authentication flow after authenticating the user and is typically activated using the dynamic step activation (DSA) feature.

In addition to using the steps in an authentication flow, the logout behavior configuration determines what to do if a user explicitly logs out, i.e., clicks on a logout button or link.

0. Depending on the use case one of the following behaviors is required:
1. REMOVE_COOKIE – removes the cookie when pressing the logout button, so the user has to be fully re-authenticated in the next session. This behavior is the default and typically used if the Remember-Me feature is used to skip the password check.
2. KEEP_COOKIE – lets the cookie remain untouched when pressing the logout button so it can still be used in the next session. This behavior is, for example, used when using the Remember-Me feature to skip the 2nd authentication factor.

In case of an account lock, Remember-Me cookies can be automatically invalidated. See Cleanup on user lock for details.

• Only one Remember-Me cookie can be stored in a browser/device for all authentication flows. The Remember-Me steps may be used in several flows but all refer to the same cookie. This requires only one Remember-Me configuration for all flows.
• Only one user can be identified by a Remember-Me cookie. When another user logs in using the same browser/device, the Remember-Me cookie in the browser's cookie store is overwritten.
• So far limited management capabilities have been implemented. The user management in the Adminapp is limited to seeing whether a user has stored logins at all and a button to invalidate all stored logins of the user.
• The REST API has been designed for clients with built-in cookie support.

Remember-Me tokens issued by the JSP-Loginapp are accepted by the Remember-Me feature of the Loginapp UI (but not vice versa). Thus, when migrating to the new login application, users can still profit from Remember-Me tokens and do not have to fully authenticate themselves.

To enable token migration, the JSP-Loginapp's Remember-Me settings must be referenced in the authentication flow configuration's Remember-Me settings.

• Internal links:
• Loginapp REST API related, Remember-Me settings and configuration for the Loginapp REST API
• Loginapp UI related, Remember-Me configuration Loginapp UI
• Browser/Device Management Self-Service (Remember-Me)
• Adminapp related, Remember-Me configuration in Adminapp
• Service container related, Remember-Me token cleanup task configuration
• Dynamic step activation (DSA) - flow concept
• Cleanup Remember-Me cookies on user lock