HomeProductsDocsPlayground
Fundamentals
Authentication
Authorization
Session Management
Profile Management
Logout
Branding
Custom domain
Login
Consent
MFA
Sessions
With CYM-Identity, you decouple the user sessions on applications from the Identity Provider session.
When an application requests the Realm to authenticate the user, an Identity Provider Session will start when the user enter her credentials.
When a response reaches the application, the application can start its own session
  1. Through the sole use of its own cookies
  2. Through the use of the id_token provided by CYM-Identity
The Community session and the application session can be completely decorelated.
Below is an example where the community session expires first, and both App 1 & App 2 still have valid sessions.
Session Timeout FlowSession Timeout Flow

Identity Provider Session

When a user logs into a Salesforce community, her community session is configured based on her Salesforce Profile Session Configuration

Application Session

Each application in your ecosystem will have its own session requirements. You can leverage multiple features of CYM-Identity to answer your different needs.

Selective Authentication

You can request CYM-Identity to only log in the user if she has not logged in recently. Your application can define what recently means and then pass that information in the authentication request through the max_age parameter.
https://openid.provider/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://your.awesome.app/callback&
  scope=openid%20profile&
  state=STATE_OF_YOUR_APP&
  max_age=1800
The example above will require the user to login if she has not logged in the last 30mn (1800 seconds).

Forced Authentication

If your application requires that the user must login (because of a long period of inactivity for example), you can request CYM-Identity to show the login page to the user even if there's an active session on the Identity Provider.
Your authentication request must include the parameter prompt with the value login
https://openid.provider/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://your.awesome.app/callback&
  scope=openid%20profile&
  state=STATE_OF_YOUR_APP&
  prompt=login

Verify the session information

CYM-Identity uses the auth_time attribute in the id_token to communicate when the user last authenticated. You can use this value to verify that the authentication corresponds to your application's security requirements.
If it does not meet your requirements, you can require the user to reauthenticate.
Always verify that the auth_time is within an acceptable window, even if your request included a prompt=login or a max_age.
Since the authentication request is done through browser redirections, a user can easily remove these parameters and gain an inappropriate access

Products

AuthenticationMultifactor AuthenticationBrandingApplication ManagementAPI Management

Documentation

FundamentalsGuidesDevelopObject ReferenceClass Reference