Handling existing sessions in ForgeRock Authentication Trees

If you utilise authentication trees for continuous, transactional, or step up authentication/authorisation scenarios, you will need to understand how to handle existing sessions from within a tree.

2 min readJun 4, 2019

First we will check if a session already exists. For this we will utilise a simple scripted decision node.

This ActiveSession script contains the following code:


if (typeof existingSession !== 'undefined')
{
  outcome = "Yes";
  //existingAuthLevel = existingSession.get("AuthLevel");
}
else
{
  outcome = "No";
  //logger.error("Not a session upgrade.");
}

Note the commented out line that we are not utilising for this example, but allows us to extract information from the session from within this script.

If the user does not have an active session we proceed as we normally would and prompt for their username. However if a session does exist we can simply utilise the Get Session Data Node where we extract the UserId and store it as the username

This could also have been achieved from within the ActiveSession script, however I find this method makes the tree more logical/modular.

Handling existing sessions in ForgeRock Authentication Trees

If you utilise authentication trees for continuous, transactional, or step up authentication/authorisation scenarios, you will need to understand how to handle existing sessions from within a tree.

Written by Micheál Kenny