PingAM 8.0.0

Configure client-side sessions

Client-side sessions require additional setup in your environment to keep the sessions safe, and to ensure both the browser and the web server where AM runs can manage large cookies. Additionally, some AM features can’t be used with client-side sessions. Review the following list before configuring client-side sessions:

Planning for client-side sessions

  • Make sure the trust store used by AM has the necessary certificates installed:

    • A certificate is required for encrypting JWTs containing client-side sessions.

    • If you are using RS256 signing, then a certificate is required to sign JWTs. (HMAC signing uses a shared secret.)

    The same certificates must be stored on all servers participating in an AM site. Find information about managing certificates for AM in Secrets, certificates, and keys.

  • Make sure your users' browsers can accommodate larger session cookie sizes required by client-side sessions. Find information about session cookie sizes in Session cookies and session security.

  • Make sure the AM web container can accommodate an HTTP header that is 16K in size or greater. When using Apache Tomcat as the AM web container, configure the server.xml file’s maxHttpHeaderSize property to 16384 or higher.

  • Make sure your deployment doesn’t require any of the capabilities specified in the list of limitations that apply to client-side sessions.

Configure client-side journey sessions

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Settings > Trees.

  2. From the Authentication session state management scheme drop-down list, select JWT.

  3. In the Max duration (minutes) field, enter the maximum life of the journey session in minutes.

    You can also set the maximum duration in a tree or at the node level. Learn more in Maximum duration.

  4. Save your changes.

  5. Go to Configure > Authentication > Core > Security.

  6. In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret that AM uses to sign the JWT that is passed back and forth between the client and AM during the authentication process. The secret must be at least 128-bits in length.

  7. Save your changes.

  8. Protect your client-side journey sessions.

    Learn more in Client-side session security.

Configure client-side authenticated sessions

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Settings > General.

  2. Select the Use Client-Side Sessions check box.

  3. Save your changes.

  4. Protect your client-side authenticated sessions.

    Learn more in Client-side session security.

  5. Verify that AM creates a client-side authenticated session when non-administrative users authenticate to the realm.

    Perform the following steps:

    • Authenticate to the AM admin UI as the top-level administrator (by default, the amAdmin user). Note that sessions for the top-level administrator are always stored in the CTS token store.

    • Go to Realms > Realm Name > Sessions.

    • Verify that a session is present for the amAdmin user.

    • In your browser, examine the AM cookie, named iPlanetDirectoryPro by default. Copy and paste the cookie’s value into a text file and note its size.

    • Open an incognito browser window that won’t have access to the iPlanetDirectoryPro cookie for the amAdmin user.

    • Authenticate to AM as a non-administrative user in the realm for which you enabled client-side authenticated sessions. Make sure you don’t authenticate as the amAdmin user this time.

    • In your browser, examine the iPlanetDirectoryPro cookie. Copy and paste the cookie’s value into a second text file and note its size. The size of the client-side session cookie’s value should be considerably larger than the size of the cookie used by the server-side session for the amAdmin user. If the cookie isn’t bigger, you’ve not enabled client-side authenticated sessions correctly.

    • Return to the original browser window in which the AM admin UI appears.

    • Refresh the window containing the Sessions page.

    • Verify that a session still appears for the amAdmin user, but that no session appears for the non-administrative user in the realm with client-side authenticated sessions enabled.