Browser/Device Management Self-Service (Remember-Me)

This article describes how to configure a protected self-service that allows end-users to manage persistently logged-in browsers or other devices, i.e. browsers or devices for which a valid remember-me cookie is stored in the Airlock IAM database.

The self-service is designed to be used with the Remember-Me in authentication flows feature, which can be used to implement different use cases (for example keep me logged in or Trust this browser).

Whether using the self-service described here is useful, depends on how the remember-me feature is used: The self-service is primarily intended for keep me logged-in-like use cases as it shows the end user the browsers/devices that are logged in.

remember-me-management-en
  • The self-service displays the following information per remembered browser or device:
  • The operating system and platform of the browser/device (derived from the User-Agent HTTP header).
  • The date and time when the user logged in to the browser/device.
  • The geolocation of the browser at the time the user logged in (if available and configured to be displayed).
  • The IP address of the browser at the time the user logged in (if available and configured to be displayed).
  • If one of the remembered browsers/devices is the one the user is currently using, it is marked with the label (current device).
  • A button to log out of the browser or device (if configured). The button is not available for the current device.

What information to display?

The information displayed with each browser or device helps the user to recall the login process and thus allows the user to identify each browser or device.

Geolocations are based on the client IP address as reported by the configured geolocation service and may deviate from the actual location of the browser/client.

Configuration of the Loginapp REST API

The configuration requires the following steps.

  • Remember-Me device list configuration:
    Configure the protected self-service to enable the REST API to return the information about the logged-in browsers/devices.
  • Remember-Me device deletion flow configuration:
         If required, configure a protected self-service flow that allows logging out of the selected browser/device.
  • UI configuration:
    If required, configure the UI to make the self-service available in the Loginapp UI.

Remember-Me device list configuration

To configure the protected self-service, proceed as follows:

  1. Go to:
    Loginapp >> Protected Self-Services
  2. In property Remember-Me Device List, add a plugin of type Remember-Me Device List (if not yet defined). Open the plugin.
  3. In property Remember-Me Settings, connect the settings object used in the authentication flow (in Loginapp >> Applications and Authentication >> Remember-Me Settings).
  4. Enable Include Geolocation if required.
    Enable it, if you want to display the geolocation in the self-service. The geolocation is only available if stored in the IAM database when the browser was logged in. To assure this, a geolocation provider must be configured in Loginapp >> REST Settings >> Geolocation Provider (in group Advanced Settings).
  5. Enable Include IP Address if required.
    Enable it, if you want to display the browser's/client's IP address in the self-service.
  6. The User-Agent Mapping property allows configuring a list of mappings used to translate HTTP User-Agent header values to displayable OS/platform strings.
    This may be helpful if the client is a custom app or a very exotic browser. You may, for example, map your custom mobile app's User-Agent string to something like My Mobile Banking App V2.1.

Remember-Me device deletion flow configuration

To allow the user to log out of a selected browser or device, a protected self-service flow must be configured as shown in the following.

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default Remember-Me Device Deletion Flow to the list and configure it as follows.
  3. Create a new Flow ID (e.g. with ID remember-me-delete-device). The ID is used to select the flow in a REST client and is needed in the Loginapp UI configuration.
  4. In property Remember-Me Settings, connect the settings object used above.
  5. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

UI configuration

To enable the self-service in the Loginapp UI, proceed as follows:

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In property Remember-Me Device Management, add a new UI plugin and configure it: If end-users should be able to log out browsers/devices, refer to the device deletion flow configured in the previous step by referencing the corresponding flow ID (e.g. remember-me-delete-device).
  3. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs >> Flow UIs
  4. Add a new Protected Self-Service UI for the flow ID of the device deletion flow defined above (e.g. remember-me-delete-device). It connects the Logout button to the corresponding device deletion flow.
  5. As Completion Target use the plugin Remember-Me Device Management UI Redirect, so the device list is shown again after logging out of a browser or device.
  6. As Cancellation Target also use the plugin Remember-Me Device Management UI Redirect.